Crm Add Record
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill could act in the CRM under the same account, and actions may not be attributable to the real authorized user.
The skill embeds a reusable CRM username and password and instructs browser automation to log in with them, rather than using a user-provided or scoped credential.
# Fill credentials: username="weiyj", password="weiyj123" agent-browser fill @<username_field> "weiyj" agent-browser fill @<password_field> "weiyj123"
Remove and rotate the hardcoded password, require per-user scoped credentials, declare the credential requirement in metadata, and avoid shared-account automation.
If the input is misunderstood or the wrong CRM page is active, the agent could create an incorrect CRM record.
The skill uses browser-control commands to submit the CRM form. This is central to the stated purpose, but it changes business records.
allowed-tools: Bash(agent-browser:*) ... agent-browser click @<save_button>
Have the agent show the parsed fields and obtain user confirmation before clicking save, especially for ambiguous inputs.
Customer or sales-lead information entered by the user will be placed into that CRM instance.
The workflow sends customer contact details, including phone number and name, to the specified external CRM site. This is expected for the CRM-add purpose but involves sensitive customer data.
agent-browser open https://niw26kl7.fractaltest.cn/Crm/Backend/modify.html ... Phone number → 手机号码输入框 ... Contact name → 联系人输入框
Use only with authorized customer data and confirm the listed CRM domain is the intended destination.