Attio
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a straightforward Attio CRM command-reference skill, but it needs an Attio API key/CLI and can change CRM data, so users should approve write actions and protect credentials.
Before installing or using this skill, make sure you trust the `attio` CLI you will run, use a least-privilege Attio API token, and require explicit approval before the agent creates, updates, or completes CRM records, notes, tasks, or pipeline entries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without care, the agent could add, update, or complete CRM items in a way that changes sales or customer records.
These documented commands can create or change CRM records and tasks. That is aligned with the skill's Attio CRM purpose, but it affects business data and should remain user-approved.
attio records create <object> <json> ... attio records update <object> <id> <json> ... attio tasks complete <task_id>
Confirm user intent before running CRM write actions, especially record updates, pipeline changes, note creation, and task completion.
Anyone with access to the token may be able to access or modify Attio workspace data according to that token's permissions.
The skill requires an Attio access token for account/workspace API access. This is expected for the integration, but the metadata does not declare a primary credential or required environment variable.
Set `ATTIO_API_KEY` in environment or `~/.env` ... Get your API key: Attio → Workspace Settings → Developers → New Access Token
Use a least-privilege Attio token, store it securely, rotate it if exposed, and avoid pasting real credentials into chat.
The skill may fail if the CLI is not installed, or a user could accidentally rely on an unintended `attio` executable in their environment.
The instructions rely on an `attio` CLI, but the supplied install information says there is no install spec and no required binary. The CLI's source and installation path are therefore outside the reviewed artifacts.
attio objects list ... attio records list <object> ... attio notes create <object> <record_id> <title> <content>
Install only the official/intended Attio CLI or a verified wrapper, and consider declaring the required binary and installation source in the skill metadata.