Attio Enhanced CRM
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install the skill without realizing it needs an Attio API key that can act on CRM data in their workspace.
The skill requires Attio account credentials, while the registry metadata lists required env vars and primary credential as none. This under-declares delegated access to the user's Attio workspace.
export ATTIO_API_KEY=your_api_key export ATTIO_WORKSPACE_ID=your_workspace_id
Declare the Attio API key and workspace ID in registry metadata, document required Attio API scopes, and advise users to use a least-privilege/revocable API key.
A mistaken or overly broad request could create or update many CRM records in the user's Attio workspace.
The skill can perform bulk mutations in a business CRM, but the artifacts do not define confirmation, dry-run, batch-size limits, object/field allowlists, or rollback guidance.
- **Batch Operations**: Bulk create/update records - **Company & Person Support**: Create companies, people, deals
Require explicit user confirmation before writes, add dry-run/preview mode, document safe limits, and provide rollback or duplicate-handling guidance for bulk operations.
Contact or CRM details could appear in local logs or exception output even though the documentation says sensitive data is not logged.
The code logs and embeds full Attio API error bodies in exceptions, while README.md claims 'Sensitive data is not logged.' CRM API error bodies may include submitted record fields or identifiers.
self.logger.error(f"Error response: {error_text}") ... error = requests.exceptions.HTTPError(f"{response.status_code} {response.reason} | {error_text}", response=response)Redact error bodies before logging, avoid including full API responses in exception messages by default, and update the security documentation to accurately describe logging behavior.
If enrichment features are used, names, emails, companies, or other contact details may be sent outside Attio without clear provider documentation.
The documentation says contact enrichment may use external sources, but it does not identify providers, data sent, retention, or user consent boundaries.
- Contact data enrichment from external sources - Social media profile integration - Industry and size data augmentation
Document each enrichment provider, the exact fields shared, retention/privacy terms, and provide an opt-in control before sending contact data to enrichment services.
Future dependency versions could change behavior, and users may not get a clear registry-level install prompt.
The dependencies are installed from version ranges rather than pinned versions, and the registry says there is no install spec even though README/config instruct dependency installation.
requests>=2.28.0 aiohttp>=3.8.0 tenacity>=8.0.0
Add an explicit install spec and pin or lock dependency versions for reproducible installation.