volkern-crm Security Report — Low Risk | ClawSafe

15 /100

volkern-crm

Automate Volkern CRM operations including lead management, appointment scheduling, task tracking, service catalog, WhatsApp messaging, sales pipeline, quotations, and contracts

Legitimate Volkern CRM MCP server integration with no malicious behavior detected. All functionality aligns with documented CRM operations.

Skill Namevolkern-crm

Duration40.1s

Enginepi

✓

Safe to install

Skill is safe to use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Info	Network access not explicitly declared The SKILL.md requirements section does not explicitly declare network:READ permission, though API integration is clearly documented throughout the skill description `requires: api_key: volkern` → Consider adding network:READ to the requirements declaration for transparency	`skill.md:1`
Info	Standard MCP server implementation Uses @modelcontextprotocol/sdk with proper error handling and input validation via Zod schemas `import { Server } from '@modelcontextprotocol/sdk/server/index.js'` → No action needed - this is standard practice	`src/index.ts:1`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	src/index.ts:18 - fetch(url, options) to volkern.app/api
Filesystem	`NONE`	`NONE`	—	No filesystem operations in code
Shell	`NONE`	`NONE`	—	No shell execution in code
Environment	`NONE`	`READ`	✓ Aligned	src/index.ts:15 - Only reads VOLKERN_API_KEY and VOLKERN_API_URL for CRM authent…

8 findings

🔗

Medium External URL 外部 URL

https://volkern.app/api

dist/index.js:8

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:604

🔗

Medium External URL 外部 URL

https://volkern.app

package.json:33

🔗

Medium External URL 外部 URL

https://linkedin.com/in/mariagarcia

skill.md:359

🔗

Medium External URL 外部 URL

https://volkern.app/cotizacion/abc123

skill.md:491

🔗

Medium External URL 外部 URL

https://volkern.app/contrato/xyz789

skill.md:564

📧

Info Email 邮箱地址

[email protected]

package.json:27

📧

Info Email 邮箱地址

[email protected]

skill.md:353

File Tree

8 files · 109.8 KB · 3244 lines

Markdown 2f · 935L JSON 3f · 813L TypeScript 2f · 761L JavaScript 1f · 735L

├─ ▾ 📁 dist

│ ├─ 📜 index.d.ts TypeScript 2L · 31 B

│ └─ 📜 index.js JavaScript 735L · 30.1 KB

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 759L · 25.9 KB

├─ 📋 package-lock.json JSON 744L · 23.4 KB

├─ 📋 package.json JSON 53L · 1.2 KB

├─ 📝 readme.md Markdown 228L · 5.7 KB

├─ 📝 skill.md Markdown 707L · 23.1 KB

└─ 📋 tsconfig.json JSON 16L · 392 B

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^0.5.0`	npm	No	Official MCP SDK from Anthropic
`zod`	`^3.23.8`	npm	No	Well-maintained schema validation library

Security Positives

✓ Clean codebase with no obfuscation or suspicious patterns

✓ API key authentication properly handled via environment variables

✓ No shell execution, filesystem access, or credential harvesting

✓ All external URLs point to legitimate volkern.app domain

✓ Comprehensive documentation matches actual implementation

✓ Standard MCP protocol implementation with proper error handling

✓ No base64 encoding, eval(), or dynamic code execution

✓ Dependencies (@modelcontextprotocol/sdk, zod) are from reputable sources

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives