Crm
PassAudited by ClawScan on May 1, 2026.
Overview
This CRM skill appears local and purpose-aligned, but it stores personal contact details in indexed persistent memory and can optionally run recurring follow-up checks.
Install only if you are comfortable with the agent storing and indexing contact details under memory/contacts, running local Python CRM scripts, and optionally checking follow-ups on a schedule. Verify the source and dependencies, use import dry-runs, and avoid putting secrets in contact notes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can change CRM files and produce contact exports when asked, which may include personal information.
The documented tools can create, modify, import, and export contact records. This is expected for a CRM, but it is still local data mutation and export capability.
crm-import.py contacts.csv ... crm-export.py --csv out.csv ... crm-update.py alice-chen --interaction
Use dry-run for imports, keep backups of important contact files, and review export destinations before sharing generated CSV or vCard files.
Users may not be able to follow the README verification steps exactly from the supplied artifacts.
The verification instructions reference MANIFEST.sha256, while the supplied file list includes MANIFEST.md instead. This is a provenance/documentation mismatch rather than evidence of hidden behavior.
To verify: ... sha256sum -c MANIFEST.sha256
Verify the source repository, hashes, and installed dependencies yourself before running the copied scripts.
Personal contact details, relationship notes, and follow-up information may become searchable persistent agent memory.
The setup places CRM records in the agent memory area and indexes them, so contact details and notes can be retrieved in later agent context.
Initialize contacts inside memory/ for semantic search integration ... clawdbot memory index
Store only contacts you intend the agent to remember; avoid secrets in notes, review imported contact notes, and understand your agent's memory retention and search behavior.
If enabled, the agent may repeatedly check CRM reminders and surface due follow-ups without a fresh manual request each time.
The optional HEARTBEAT.md integration creates recurring reminder checks. It is disclosed and purpose-aligned, but it is still persistent scheduled agent behavior.
CRM Follow-ups (check 1-2x daily) ... If there are due items, notify the user.
Add the heartbeat instructions only if you want recurring checks, and remove or edit the HEARTBEAT.md entry if you no longer want them.