Huo15 Crm Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This CRM sales skill mostly matches its stated purpose, but it needs review because static scanning indicates possible embedded Qichacha API credentials in the package.
Before installing, verify the package source or built artifact for hardcoded qichacha_api_key or qichacha_secret_key values and rotate any exposed keys. If you use the skill, configure your own Qichacha credentials, keep the API base URL pointed at the official provider unless you intentionally use a private endpoint, and manually approve any CRM creation, activity scheduling, or bulk outreach actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A real embedded API key could be exposed to anyone installing the package or could cause Qichacha API calls to use an unintended account or billing boundary.
The scanner reports a possible hardcoded Qichacha API key literal. The documentation says qichacha_api_key and qichacha_secret_key should be user configuration, so embedding a real key would expose or use credentials outside the user's intended permission boundary. Confidence is medium because the displayed source for src/shared.ts is omitted and a related qichacha.ts hit appears to be config-derived.
static scan: qichacha_api_key: [REDACTED],
Inspect the published package or source for hardcoded Qichacha credentials before installing. Remove any embedded keys, rotate exposed credentials, and require users to supply their own qichacha_api_key and qichacha_secret_key through configuration.
If approved, the agent can help create or update CRM records and schedule sales activities in bulk through another plugin.
The skill prepares high-impact CRM mutations through the companion Odoo plugin, including bulk lead creation and activity scheduling. This is purpose-aligned for a CRM sales agent and the snippet includes user confirmation, but users should still review drafts before execution.
`sales_lead_score(leads)` → 用户确认 → `odoo_crm_create` 批量入库 → `sales_followup_plan(stage='cold', odoo_lead_id)` → `odoo_create_activity` 排活动
Review each args_draft and target list before allowing companion tools to write to Odoo or send outreach, especially for bulk actions.
A user could underestimate that company-search tools contact an external provider and use configured API credentials.
This README line claims no network connections, but the skill elsewhere discloses Qichacha OpenAPI integration and the visible client code performs fetch calls to api.qichacha.net. The broader documentation makes the external API use clear, so this appears to be inconsistent or stale wording rather than hidden behavior.
不引入数据库、不写本地文件、不开网络连接
Treat Qichacha search/detail tools as external network calls and update the README to remove the misleading 'no network connection' statement.