SMBcrm CRM & Marketing Platform
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a Private Integration Token is over-scoped or exposed, someone could access or change SMBcrm account data.
The skill explicitly guides use of bearer tokens for SMBcrm API authentication. This is expected for the stated purpose, but those tokens can grant account access.
Private Integration Token — bearer token for API authentication (created under Settings → Private Integrations)
Use least-privilege tokens, avoid pasting secrets unless necessary, store tokens securely, and revoke or rotate any token that may have been exposed.
Incorrect API requests or workflow steps could modify or delete contacts, tasks, campaigns, or other CRM records.
The skill documents API areas that can mutate CRM records. This is purpose-aligned API guidance, but generated API calls or workflows could have real business impact if run without review.
Contacts | Create, read, update, delete, upsert, search, notes, tasks, tags, campaigns, workflows, followers, appointments
Review generated requests before running them, test in a safe account or with limited data first, and follow the skill’s own recommendation to include a test plan and rollback path.
A broadly authorized MCP or AI assistant setup could expose or change CRM data through connected tools.
The skill includes MCP-based AI tool access to SMBcrm. This is disclosed and relevant to the skill, but AI-client/tool connections need clear authentication and permission boundaries.
MCP — the AI tool layer that lets compatible clients call SMBcrm tools over HTTP
Limit MCP and Agent Studio permissions to the minimum needed, verify client identity and endpoint configuration, and avoid sharing broad CRM tokens with untrusted clients.