HubSpot
PassAudited by ClawScan on May 7, 2026.
Overview
This is a coherent HubSpot CRM connector, but it uses Maton-managed credentials and can read or change CRM records, so users should review access and approve writes carefully.
Install only if you intend to let Maton act as a managed OAuth gateway for HubSpot. Protect MATON_API_KEY, verify the exact HubSpot connection before use, and require clear confirmation before any create, update, or delete operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with the API key may be able to act through the user's Maton/HubSpot connection, depending on account permissions.
The skill requires a Maton API key to access the connected HubSpot account, which is expected for this managed OAuth integration but is still a sensitive credential.
export MATON_API_KEY="YOUR_API_KEY"
Use a dedicated account or least-privilege connection where possible, keep MATON_API_KEY out of logs and shared chats, and revoke the key or OAuth connection if it is no longer needed.
Mistaken write or delete actions could change important HubSpot business records.
The skill can perform CRM write operations, including creates, updates, and deletes. The artifact includes an approval requirement, so this is disclosed and purpose-aligned, but the actions can materially affect CRM data.
Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving any write, confirm the HubSpot connection, record IDs, fields being changed, and whether the action is reversible.
CRM data retrieved or modified through the skill passes through Maton's service, so users must trust that service's handling of their data and OAuth connection.
HubSpot requests and responses flow through Maton's API gateway. This is central to the skill's managed OAuth design, but it means CRM data and delegated authorization are handled by a third-party service.
Maton proxies requests to `api.hubapi.com` and automatically injects your OAuth token.
Review Maton's privacy/security posture, connect only the intended HubSpot account, and avoid sending unnecessary sensitive CRM data through broad API calls.
Installing a global CLI gives that external package local execution capability on the user's machine.
The documentation instructs users to install a global CLI package. This is user-directed and relevant to the skill, but the reviewed artifact set does not include the CLI code or a pinned package version.
npm install -g @maton-ai/cli
Install the CLI only from trusted package sources, verify the package name and publisher, and keep it updated.