HubSpot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: hubspot-api Version: 1.0.6 The HubSpot skill bundle provides a standard integration for managing CRM records via the Maton API proxy service (api.maton.ai). The SKILL.md file contains legitimate documentation, CLI examples, and Python snippets for CRM operations, all of which correctly use the required MATON_API_KEY environment variable. The instructions explicitly include safety guidelines requiring user approval for write operations, and no evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with the API key may be able to act through the user's Maton/HubSpot connection, depending on account permissions.
The skill requires a Maton API key to access the connected HubSpot account, which is expected for this managed OAuth integration but is still a sensitive credential.
export MATON_API_KEY="YOUR_API_KEY"
Use a dedicated account or least-privilege connection where possible, keep MATON_API_KEY out of logs and shared chats, and revoke the key or OAuth connection if it is no longer needed.
Mistaken write or delete actions could change important HubSpot business records.
The skill can perform CRM write operations, including creates, updates, and deletes. The artifact includes an approval requirement, so this is disclosed and purpose-aligned, but the actions can materially affect CRM data.
Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving any write, confirm the HubSpot connection, record IDs, fields being changed, and whether the action is reversible.
CRM data retrieved or modified through the skill passes through Maton's service, so users must trust that service's handling of their data and OAuth connection.
HubSpot requests and responses flow through Maton's API gateway. This is central to the skill's managed OAuth design, but it means CRM data and delegated authorization are handled by a third-party service.
Maton proxies requests to `api.hubapi.com` and automatically injects your OAuth token.
Review Maton's privacy/security posture, connect only the intended HubSpot account, and avoid sending unnecessary sensitive CRM data through broad API calls.
Installing a global CLI gives that external package local execution capability on the user's machine.
The documentation instructs users to install a global CLI package. This is user-directed and relevant to the skill, but the reviewed artifact set does not include the CLI code or a pinned package version.
npm install -g @maton-ai/cli
Install the CLI only from trusted package sources, verify the package name and publisher, and keep it updated.