ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Attio CRM CLI

v1.0.0

Command-line tool to list, get, and manage objects, records, and lists in your Attio CRM workspace via the Attio API.

0· 1.5k·0 current·0 all-time
by@froemic
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires an Attio API key (ATTIO_API_KEY) and use of the attio-cli tool, but the skill metadata declares no required environment variables or primary credential. That omission is an incoherence: a CRM CLI legitimately needs an API key, and the manifest should declare it.
Instruction Scope
The instructions stay within the expected scope for an Attio CLI helper: install the attio-cli repo, set ATTIO_API_KEY, and run CLI commands (and a provided generate-schema.sh) that list objects and attributes. The generate-schema.sh will read workspace data via the CLI and emit it to stdout (intended behavior). Instructions recommending adding the API key to ~/.claude/.env or shell rc are operational choices but expand where secrets may be stored.
Install Mechanism
There is no platform install spec in the manifest (instruction-only). SKILL.md instructs the user to clone and npm install a third-party GitHub repo (https://github.com/FroeMic/attio-cli) and npm link it. That is a normal but higher-risk step because it pulls and runs external code; the skill package itself does not auto-download code.
!
Credentials
The runtime needs ATTIO_API_KEY to call the Attio API, but the manifest declared no required env vars or primary credential — a mismatch. The script and instructions also require jq and the attio CLI. Storing the API key in shell rc or ~/.claude/.env is suggested, which may increase exposure if those files are shared or backed up.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It does not autonomously persist credentials itself. The only persistence implied is writing the generated workspace.schema.md file when the user runs the script (expected behavior).
What to consider before installing
This skill appears to be an Attio CLI helper, but there are a few things to check before installing: - Manifest vs instructions: The SKILL.md requires ATTIO_API_KEY but the skill metadata does not declare any required env vars — assume you will need to provide an Attio API key. - External code: The instructions tell you to git clone and npm install a third-party repository (https://github.com/FroeMic/attio-cli). Review that repository's code and recent commits to ensure it does only what you expect before running npm install / npm link. - Secret handling: Prefer session-scoped environment variables or a secure secrets store rather than committing the API key to globally sourced files. Avoid placing your workspace API key in files that are synced or shared. Consider creating a dedicated, limited-scope API key in Attio and rotate it after testing. - Output sensitivity: The generate-schema.sh script will emit a full workspace schema (objects, lists, attributes) to stdout / a file. That output may contain sensitive structure or metadata — store it securely and avoid publishing it. - Dependencies: The script requires jq and the attio CLI; installing third-party npm packages gives code run-time access on your machine. Verify those tools and audit their behavior if you need to run them in a sensitive environment. What would raise my confidence: manifest updated to declare ATTIO_API_KEY (primaryEnv) and required tools, or independent verification (e.g., reputable GitHub repo owner, recent code review) of the attio-cli project. If you cannot verify the upstream repo, treat this as higher risk and avoid installing globally.

Like a lobster shell, security has layers — review code before you run it.

latestvk970x9agycrjftw8zfw0jm7p5n80gw50
1.5kdownloads
0stars
1versions
Updated 10h ago
v1.0.0
MIT-0
@froemic
latest
Download

attio-cli

Interact with your Attio CRM workspace via the attio-cli.

Install

  1. Clone and install the CLI:
git clone https://github.com/FroeMic/attio-cli
cd attio-cli
npm install
npm link
  1. Set ATTIO_API_KEY environment variable (get it from Attio Settings > Developers > API Keys):
    • Recommended: Add to ~/.claude/.env for Claude Code
    • Alternative: Add to ~/.bashrc or ~/.zshrc: export ATTIO_API_KEY="your-api-key"

Repository: https://github.com/FroeMic/attio-cli

Commands

List objects and records:

attio object list                      # List all objects
attio record list people               # List people records
attio record list companies            # List company records

Work with lists (pipelines):

attio list list-all                    # List all lists
attio entry list <list-slug>           # List entries in a list

Get detailed info:

attio object get <object-slug>         # Get object details
attio object attributes <object-slug>  # Get object attributes
attio list attributes <list-slug>      # Get list entry attributes

Generate Workspace Schema

Generate a markdown schema of your workspace for context:

bash {baseDir}/scripts/generate-schema.sh > {baseDir}/workspace.schema.md

This creates a reference file documenting all objects, attributes, lists, and field options in your workspace.

Key Concepts

ConceptPurposeExample
ObjectsBase record typesPeople, Companies, Deals
ListsPipeline/workflow managementSales Pipeline, Hiring
RecordsIndividual items in objectsA specific person or company
EntriesRecords added to a listA deal in the Sales Pipeline

API Reference

  • Base URL: https://api.attio.com/v2
  • Auth: Authorization: Bearer $ATTIO_API_KEY
  • Rate Limits: 100 requests per 10 seconds per workspace

Common API Operations

Search for a person:

curl -X POST https://api.attio.com/v2/objects/people/records/query \
  -H "Authorization: Bearer $ATTIO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"filter": {"email_addresses": {"contains": "john@example.com"}}}'

Create a record:

curl -X POST https://api.attio.com/v2/objects/<object-slug>/records \
  -H "Authorization: Bearer $ATTIO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": {"values": {"name": [{"value": "Record Name"}]}}}'

Add entry to a list:

curl -X POST https://api.attio.com/v2/lists/<list-slug>/entries \
  -H "Authorization: Bearer $ATTIO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": {"parent_record_id": "<record-id>"}}'

Notes

  • Run generate-schema.sh after installing to create a workspace schema file with all your objects, lists, and field options.
  • Lists are commonly used to manage pipelines (sales stages, hiring workflows, etc.).
  • The CLI requires jq for JSON processing in schema generation.

Comments

Loading comments...