Follow Up Boss
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Follow Up Boss CLI, but it can change CRM records and webhooks using a broad API key without clear approval or scoping safeguards.
Only install this if you intend the agent to access and modify your Follow Up Boss account. Use a limited API key if possible, avoid production data for testing, and require manual review before any create, update, complete, delete, webhook, or event-triggering command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user could accidentally change CRM contacts, tasks, deals, or webhook configuration.
The documented CLI exposes account-changing and delete operations through raw JSON/id arguments, but the artifact does not define confirmation, dry-run, scoping, or approval rules for these high-impact actions.
`people update <id> <json>`; `tasks complete <id>`; `deals create <json>`; `webhooks create <json>`; `webhooks delete <id>`
Require explicit user confirmation for create/update/delete operations, use the least-privileged Follow Up Boss API key available, and test in a non-production account when possible.
Installing users may not realize from metadata alone that the skill needs an API key with access to their CRM account.
The skill requires a Follow Up Boss API key and uses it for authenticated API calls. This is purpose-aligned, but the registry metadata says no required env vars and no primary credential.
const API_KEY = process.env.FUB_API_KEY || ''; ... 'Authorization': 'Basic ' + Buffer.from(API_KEY + ':').toString('base64')Declare FUB_API_KEY as a required credential/env var and document the minimum permissions the key should have.
A bad lead/event creation could trigger CRM workflows, notifications, assignments, or other automations.
The skill explicitly creates events that can trigger Follow Up Boss automations, so a mistaken command can propagate beyond a single record.
`people create <json>` | Create person via /events (triggers automations) ... `events create <json>` | Create event (for lead intake)
Add guardrails requiring confirmation before event creation and clearly warn users when a command can trigger downstream automations.
Users have less context for deciding whether to trust this code with CRM account access.
The skill handles a CRM API credential, but its source/provenance is not identified in the supplied metadata.
Source: unknown; Homepage: none
Provide a homepage/source repository and review the included fub.js before using a production API key.