中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
CRMy
AI-native CRM agent for managing contacts, accounts, deals, and pipeline using the CRMy REST API
The CRMy plugin is a legitimate CRM management tool with no malicious behavior detected. Configuration access and API calls are properly scoped to local CRM operations.
Skill NameCRMy
Duration25.3s
Enginepi
Safe to install
No action required. The skill is safe to use.

Findings 1 items

Severity Finding Location
Low
Configuration in user home directory
The skill reads API credentials from ~/.crmy/config.json. This is a standard pattern but credentials stored in home directory without encryption could be a concern.
fs.readFileSync(path.join(os.homedir(), '.crmy', 'config.json'), 'utf-8')
→ Consider documenting security best practices for credential storage or supporting a secrets manager.
 src/client.ts:21
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned client.ts:21 - reads ~/.crmy/config.json for local configuration only
Network READ READ ✓ Aligned client.ts - makes API calls only to configured CRMy server
Environment READ READ ✓ Aligned client.ts:28-35 - reads CRMY_SERVER_URL and CRMY_API_KEY
Shell NONE NONE No shell execution found
Database NONE NONE No direct database access

File Tree

8 files · 35.4 KB · 906 lines
TypeScript 3f · 403L JavaScript 1f · 291L Markdown 1f · 140L JSON 3f · 72L
├─ 📁 dist
│ ├─ 📜 index.d.ts TypeScript 29L · 672 B
│ └─ 📜 index.js JavaScript 291L · 11.5 KB
├─ 📁 src
│ ├─ 📜 client.ts TypeScript 97L · 2.7 KB
│ └─ 📜 index.ts TypeScript 277L · 12.9 KB
├─ 📋 openclaw.plugin.json JSON 27L · 659 B
├─ 📋 package.json JSON 33L · 851 B
├─ 📝 SKILL.md Markdown 140L · 6.0 KB
└─ 📋 tsconfig.json JSON 12L · 235 B

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
tsup ^8.3.0 npm No Build tool, not bundled in runtime
typescript ^5.6.3 npm No Type checker, stripped at build time

Security Positives

✓ No shell execution or subprocess usage
✓ No credential exfiltration or data theft patterns
✓ No base64-encoded payloads or obfuscated code
✓ No remote script execution (curl|bash, wget|sh)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ No environment variable iteration for credential harvesting
✓ API calls are scoped to the configured CRMy server only
✓ Uses standard Bearer token authentication pattern
✓ Clean, well-documented codebase with Apache 2.0 license
✓ Open source with public repository