freelancer-crm
v1.0.2Autonomous CRM for freelancers. Tracks clients, detects follow-up opportunities, generates proposals, tracks invoices, and sends a weekly digest. Works via W...
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The files (client management, follow-up, invoice tracker, proposal generator, WhatsApp senders, setup) match the advertised CRM functionality. The skill uses a local clients.json and config.json for credentials and preferences, which is coherent with the stated local-first design. Minor inconsistencies: README lists Node.js as a requirement and the bridge path relies on an 'openclaw' CLI (likely Node-based) even though the registry metadata doesn't declare any required binaries; this is plausible for the WhatsApp Bridge option but should be noted.
Instruction Scope
SKILL.md instructs the agent to use the included crm_cli.py and local clients.json, which the code implements. It also requires asking for approval before sending WhatsApp messages. One potential ambiguity: SKILL.md declares a cron trigger for Monday digest but the digest code returns a message (generate_digest) rather than automatically sending it; the agent's runtime behavior around 'run digest then send' must respect the approval rule. The instructions forbid generic web_search/memory_search which is consistent with a local-data skill.
Install Mechanism
There is no remote binary download or opaque installer in the skill bundle. setup.py installs Python packages via pip (filelock, requests) — expected for the included Python code. No extract-from-URL installs or third-party package downloads beyond pip are present. The setup runs a test message over the network (WhatsApp) which is expected functionality but is a network action to be aware of.
Credentials
The skill does not request environment variables or unrelated credentials. API tokens (for WhatsApp Business API) are collected during setup and stored in config.json (local file). That is proportionate to a WhatsApp-sending CRM. No unrelated secrets or broad credential access is requested. Note: the README and SKILL.md reference config fields (api_token, api_phone_id) rather than env vars — ensure you are comfortable storing those locally.
Persistence & Privilege
always is false (normal). The setup script writes config.json and clients.json inside the skill folder and can install Python packages via pip — these are expected actions for first-time setup. The setup also attempts to send a test WhatsApp message (network action) automatically; per SKILL.md the agent should still ask approval before sending messages during normal operation, so you may want to review/confirm that behavior before running setup.
Assessment
This skill appears coherent for a local WhatsApp-based CRM, but take these practical precautions before installing or running it:
- Review config.json handling: API tokens and phone IDs are stored in a local config.json file. Ensure that directory is access-restricted and not checked into version control.
- Verify the bridge dependency: The WhatsApp Bridge path calls an 'openclaw' CLI via subprocess; ensure that binary is available and trustworthy if you choose the bridge option. README mentions Node.js but the code itself doesn't require Node except indirectly via the external bridge CLI.
- Approve test messages: setup.py will attempt to send a test WhatsApp message. If you prefer, run setup without network or inspect config.json before allowing the test send.
- Pip install actions: setup.py runs pip to install filelock and requests. Run this in a controlled environment (virtualenv) if you want to limit system-wide package changes.
- Confirm send-approval enforcement: SKILL.md requires asking approval before sending messages. Make sure your agent runtime enforces that rule so the skill doesn't send messages autonomously without your consent.
- Backup and secure your clients.json: data is stored locally; make regular backups and protect the directory permissions.
If you want higher assurance, review the included source files yourself (they are all present in the bundle) or run the skill in an isolated test environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk9732k7jkz5f169zdjbx4hz4sh839p36
License
MIT-0
Free to use, modify, and redistribute. No attribution required.