ClawHub

Pipedrive CRM (OpenClaw)

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: pipedrive-crm-openclaw Version: 0.1.0 The skill is classified as suspicious due to the `request` command in `scripts/pipedrive-api.py`, which allows the AI agent to make arbitrary HTTP requests (method, path, query, body) to the Pipedrive API. While this feature is intended for full API coverage and is explicitly documented in `SKILL.md` with safety guidelines, it presents a significant vulnerability to prompt injection. An attacker could potentially craft a prompt to instruct the agent to use this command to access sensitive Pipedrive endpoints, perform unauthorized destructive actions, or exfiltrate data if the `PIPEDRIVE_API_BASE` environment variable is misconfigured to an attacker-controlled domain, as API tokens are automatically included in all requests.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

OpenClaw could make real changes to Pipedrive CRM data when given a valid token.

Why it was flagged

The skill can create, update, delete, and send raw Pipedrive API requests. This is disclosed and purpose-aligned for CRM administration, but mistakes or ambiguous prompts could modify business records.

Skill content
`create <entity> <json_payload>` ... `update <entity> <id> <json_payload>` ... `delete <entity> <id>` ... `request <METHOD> <path>`
Recommendation

Use explicit user approval for create, update, delete, and raw request actions, especially bulk or destructive operations.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Actions run with the permissions of the supplied Pipedrive token or OAuth access token.

Why it was flagged

The skill requires Pipedrive credentials to operate. This is expected for the stated CRM integration, but those credentials determine what account data the agent can access or change.

Skill content
`PIPEDRIVE_API_TOKEN` for API token auth ... `PIPEDRIVE_ACCESS_TOKEN` for OAuth bearer auth
Recommendation

Use the least-privileged Pipedrive credential available, keep tokens out of chat, and rotate/revoke them if no longer needed.