Client Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent local CRM skill; the main thing to notice is that it stores client and invoice information in a local JSON file.
This skill looks benign and purpose-aligned. Before using it, be aware that your client, project, budget, and invoice information will be saved locally under './clients/clients.json'; protect that folder and keep backups.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less publisher/provenance context than you would with a clear source repository or homepage.
The package has limited provenance information, although there is no install script, dependency fetch, or remote code execution path shown in the artifacts.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the included files before installing and keep local backups of any CRM data you store with it.
Anyone with access to that local file may be able to read or alter sensitive client and business records.
The skill persists CRM records locally in a JSON file; those records can contain client names, emails, budgets, projects, and invoice status.
this.dataDir = options.dataDir || './clients';
this.dbFile = path.join(this.dataDir, 'clients.json');
...
_save() { fs.writeFileSync(this.dbFile, JSON.stringify(this.clients, null, 2)); }Store the data directory in a protected location, avoid entering unnecessary sensitive details, and maintain independent backups.