zerocrm

No clear malicious code or backdoor behavior in the provided skill documentation and examples. The material does contain security hygiene issues to be aware of: the BASE_URL is an AWS Lambda URL (verify operator/trust before sending real data), and examples that print API keys encourage accidental credential leakage. Functionality and requested permissions are generally proportional to the documented CRM use cases. Recommend: verify the package source (GitHub and package registry), avoid printing API keys or storing them in logs, and ensure the endpoint is the legitimate Zero CRM service before using production data.

This file is a straightforward CLI for a remote CRM API and does not contain on-device malware or obfuscated/backdoor code. The primary security concern is the hardcoded remote endpoint: running this client will send the ZERO_CRM_API_KEY and any user-supplied data to that BASE_URL. If that endpoint is untrusted or malicious, secrets and data will be exfiltrated. Additionally, printing a truncated API key and printing raw server responses can leak sensitive information to logs. Recommend verifying the BASE_URL's ownership/trustworthiness before use, avoid storing sensitive keys in shared .env files, and remove printing of API key material.