Native HubSpot
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent HubSpot CRM integration, but it can read and change CRM records using your private app token.
This appears suitable for HubSpot CRM work if you intend the agent to access and manage CRM data. Before installing, create a dedicated least-privilege HubSpot private app token, keep it out of logs and shared prompts, and confirm any create, update, or association action before it is run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs a write command with the wrong ID or values, HubSpot contacts, companies, deals, or tickets could be changed.
The skill exposes CRM mutation operations. This is expected for a HubSpot management skill, but mistaken use could alter business records.
Supports creating, updating, and associating CRM objects.
Use the skill for write actions only when the target record and fields are clear, and require user confirmation before creating, updating, or associating CRM objects.
Anyone or any agent process using the token can access and modify the scoped HubSpot CRM data.
The skill requires a HubSpot private app token with read/write CRM scopes. This is appropriate for the stated purpose but grants meaningful account authority.
Give it scopes: `crm.objects.contacts.read`, `crm.objects.contacts.write`, `crm.objects.companies.read`, `crm.objects.companies.write`, `crm.objects.deals.read`, `crm.objects.deals.write`, `tickets`
Create a dedicated HubSpot private app token with only the scopes you need, store it securely, rotate it if exposed, and avoid using an admin-level token unnecessarily.
Users have less provenance information for deciding whether to trust the included helper script.
There is no upstream source or homepage to independently verify provenance, although no external install step or dependency download is shown.
Source: unknown; Homepage: none
Review the included script before use and prefer installing from a trusted registry or source-controlled repository when available.