Pipedrive CRM (OpenClaw)
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Pipedrive CRM helper, but it can use your Pipedrive credentials to read, change, and delete CRM records, including through a broad raw API request command.
Install only if you want OpenClaw to act on your Pipedrive account. Provide a scoped token if possible, confirm destructive or broad raw API requests before execution, and keep credentials in environment variables rather than chat.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
OpenClaw could make real changes to Pipedrive CRM data when given a valid token.
The skill can create, update, delete, and send raw Pipedrive API requests. This is disclosed and purpose-aligned for CRM administration, but mistakes or ambiguous prompts could modify business records.
`create <entity> <json_payload>` ... `update <entity> <id> <json_payload>` ... `delete <entity> <id>` ... `request <METHOD> <path>`
Use explicit user approval for create, update, delete, and raw request actions, especially bulk or destructive operations.
Actions run with the permissions of the supplied Pipedrive token or OAuth access token.
The skill requires Pipedrive credentials to operate. This is expected for the stated CRM integration, but those credentials determine what account data the agent can access or change.
`PIPEDRIVE_API_TOKEN` for API token auth ... `PIPEDRIVE_ACCESS_TOKEN` for OAuth bearer auth
Use the least-privileged Pipedrive credential available, keep tokens out of chat, and rotate/revoke them if no longer needed.