crm-sync

SUSPICIOUS. The stated CRM-sync purpose is coherent, but the trust boundary is not: a required unverified local script and an unspecified MCP transport sensitive CRM data and likely auth context without clear provenance or endpoint transparency. No confirmed malware or overt exfiltration is shown, but the install/execution trust and data-flow integrity are too weak for a benign classification.