Airtable Participants
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a transparent Airtable participant lookup skill, but it can access sensitive contact/donation data and can update records if Austin explicitly approves.
Before installing, confirm this is for the intended Ceremonia Airtable base, use the narrowest possible Airtable token, and make sure participant contact lists and CRM-write logs are kept private. Treat record updates as sensitive actions that require explicit per-change approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read sensitive participant records and may be able to write records if the Airtable token has write permissions.
The skill requires an Airtable credential, which will grant the agent whatever Airtable access that token permits.
requires:\n env:\n - AIRTABLE_API_KEY
Use a least-privilege Airtable token, preferably limited to the intended base/table and read-only unless record updates are truly needed.
If approvals are misunderstood, the agent could change participant CRM records such as unsubscribe status or last-contact dates.
The skill exposes direct Airtable API operations including potential record modification, but it also clearly requires explicit approval before any write.
Read-only by default — never PATCH, POST, or DELETE Airtable records without Austin's explicit instruction per operation
Confirm each write with the authorized person, review the exact record and field before execution, and keep Airtable token permissions narrow.
Participant emails and sensitive CRM history could remain in local agent memory/log files beyond the Airtable system itself.
The skill instructs the agent to persist audit logs containing participant identifiers and CRM change details.
Log the change in memory/logs/crm-writes/YYYY-MM-DD.md with: record name/email, field changed, old value, new value, Austin's instruction timestamp
Keep these logs private, define retention and access controls, and consider minimizing stored PII where possible.
Email addresses and phone numbers may be passed into newsletter or SMS workflows, which can affect privacy and consent handling.
The skill is designed to provide participant recipient lists to other skills, creating a sensitive data flow outside this skill.
Also used by other skills (email-newsletter, sms-outreach) to retrieve recipient lists.
Ensure downstream email/SMS skills enforce unsubscribe filtering, restrict where contact lists are displayed, and require review before sending messages.