CRM-in-a-Box
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a local file-based CRM skill, but it overstates cryptographic audit protections while storing and modifying sensitive contact and business data.
Review this skill before using it for real CRM data. Treat it as editable local JSON storage, not a verified tamper-evident system, unless you independently add and verify hash-chain support. Keep the CRM directory private, back it up, and review agent-made changes before committing or sharing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may wrongly trust the CRM as tamper-evident or audit-secure when the provided artifacts only show ordinary editable JSON files.
This is a strong integrity and tamper-evidence claim, but the provided CRM schemas and files do not include hash fields, hash-chain verification steps, or code that would cryptographically link entries.
**Hash-chained** — every entry is cryptographically linked
Do not rely on hash-chain or tamper-evidence claims unless you add or verify an actual hashing and verification mechanism.
An agent using this skill can add or change contact, pipeline, and interaction records in the chosen CRM directory.
The skill tells the agent to write to CRM data files. This is expected for a CRM, but it is still mutation authority over business records.
- **Log a contact:** append a JSON line to `contacts.ndjson` - **Update a stage:** append an updated entry to `pipeline.ndjson`
Use this only in a designated CRM folder, keep backups or version control, and ask the agent to show diffs before important updates.
Private contact and sales information could remain in local files or be exposed if the CRM directory is synced, committed, or shared.
The CRM stores personal contact details and business notes in persistent local files that may later be searched or reused by an agent.
"email": "jane@example.com", "phone": "+1-555-0100", "notes": "Referred by John."
Keep CRM repositories private, avoid committing sensitive records to public remotes, and define retention or redaction practices.
If users rely on the external repository, they may run or import content that was not part of this reviewed artifact set.
The README points users to an external repository, while this package itself has no install spec or reviewed executable code. The clone command is user-directed, not automatic.
git clone https://github.com/taylorhou/crm-in-a-box
Verify the external repository and its files before cloning, running commands, or using it as the source of CRM templates.