ClawHub

Pipedrive CRM (OpenClaw)

Security checks across malware telemetry and agentic risk

Overview

This Pipedrive CRM skill appears purpose-aligned, but it exposes broad CRM mutation authority and weak credential-handling safeguards that users should review before installing.

Install only if you trust the publisher and are comfortable giving the agent broad Pipedrive access. Use the least-privileged Pipedrive token available, verify the API base points only to Pipedrive, and require explicit human confirmation before any delete or raw mutating request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly requires environment variables containing API credentials and performs outbound network requests to the Pipedrive API, yet it does not declare corresponding permissions. That mismatch weakens platform-level security controls and review visibility, making it easier for a skill with credential and network access to be installed or run without explicit user awareness of its capabilities.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The generic `request` command exposes unrestricted access to arbitrary Pipedrive API v1 paths and methods, bypassing the safer, enumerated wrappers defined elsewhere in the skill. In an agent context, this widens the capability surface substantially: a prompt or tool user can invoke endpoints not described in the manifest, including sensitive or destructive operations, making authorization and policy review harder.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The playbook includes deletion guidance that confirms record identity and deletion state, but it does not require explicit user confirmation immediately before the destructive action. In a CRM skill that can delete people, organizations, deals, or related records, this omission raises the risk of accidental or unauthorized data loss from ambiguous prompts, automation mistakes, or mis-targeted record selection.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `delete` command performs irreversible record deletion with no built-in confirmation, dry-run, or friction mechanism. In an agent-driven workflow, accidental invocation, prompt injection, or misunderstanding can directly destroy CRM data, and the absence of user-facing safeguards increases the chance of harmful unintended actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The generic `request` command allows arbitrary mutating methods (`POST`, `PUT`, `PATCH`, `DELETE`) against any supplied API path without additional warning or policy checks. This is dangerous in an LLM-agent setting because it enables high-impact state changes well beyond the skill’s curated commands, increasing the blast radius of prompt manipulation or operator error.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup wizard collects the Pipedrive API token using Python's plain input(), which echoes the secret on the user's terminal and may expose it to shoulder surfing, terminal recording, scrollback history, or shared-session observation. In a CRM skill context, this is a real credential-handling weakness because the token grants access to customer and sales data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OAuth access token is also collected with visible terminal input, exposing a bearer credential that can be reused by anyone who sees or captures the screen output. Because this skill manages Pipedrive CRM resources, compromise of the token could allow unauthorized access or modification of business data within the granted scopes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal