扫描报告
5 /100
CRMy
AI-native CRM agent for managing contacts, accounts, deals, and pipeline using the CRMy REST API
The CRMy plugin is a legitimate CRM management tool with no malicious behavior detected. Configuration access and API calls are properly scoped to local CRM operations.
可以安装
No action required. The skill is safe to use.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Configuration in user home directory | src/client.ts:21 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | client.ts:21 - reads ~/.crmy/config.json for local configuration only |
| 网络访问 | READ | READ | ✓ 一致 | client.ts - makes API calls only to configured CRMy server |
| 环境变量 | READ | READ | ✓ 一致 | client.ts:28-35 - reads CRMY_SERVER_URL and CRMY_API_KEY |
| 命令执行 | NONE | NONE | — | No shell execution found |
| 数据库 | NONE | NONE | — | No direct database access |
目录结构
8 文件 · 35.4 KB · 906 行 TypeScript 3f · 403L
JavaScript 1f · 291L
Markdown 1f · 140L
JSON 3f · 72L
├─
▾
dist
│ ├─
index.d.ts
TypeScript
│ └─
index.js
JavaScript
├─
▾
src
│ ├─
client.ts
TypeScript
│ └─
index.ts
TypeScript
├─
openclaw.plugin.json
JSON
├─
package.json
JSON
├─
SKILL.md
Markdown
└─
tsconfig.json
JSON
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
tsup | ^8.3.0 | npm | 否 | Build tool, not bundled in runtime |
typescript | ^5.6.3 | npm | 否 | Type checker, stripped at build time |
安全亮点
✓ No shell execution or subprocess usage
✓ No credential exfiltration or data theft patterns
✓ No base64-encoded payloads or obfuscated code
✓ No remote script execution (curl|bash, wget|sh)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ No environment variable iteration for credential harvesting
✓ API calls are scoped to the configured CRMy server only
✓ Uses standard Bearer token authentication pattern
✓ Clean, well-documented codebase with Apache 2.0 license
✓ Open source with public repository