ClawHub

intercom-conversations

v1.0.1

Read Intercom conversations by listing, finding, or searching them using the ConversationsClient with JSON input and output.

0· 589·0 current·0 all-time
by@duyeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: index.js calls intercom-client to list/find/search conversations. The single sensitive input (INTERCOM_ACCESS_TOKEN) is appropriate for this purpose. Note: the top-level registry summary in the provided metadata said "Required env vars: none", but the skill manifest (clawhub.skill.json) and SKILL.md correctly declare INTERCOM_ACCESS_TOKEN as required — this is a metadata inconsistency to be aware of but does not indicate malicious behavior.
Instruction Scope
SKILL.md instructs the runtime to invoke default(input) and documents the allowed actions. The implementation only calls the Intercom API via intercom-client and does not read local files, other environment variables, or transmit data to any endpoints beyond Intercom. It returns API responses in structured JSON and does not perform additional data collection.
Install Mechanism
There is no formal install spec in the registry, but the package includes package.json and depends on the public npm package intercom-client and the SKILL.md suggests running npm install. This is standard and expected for a Node skill, but installers should be aware that npm will fetch dependencies from the public registry.
Credentials
The skill requires a single credential: INTERCOM_ACCESS_TOKEN, which is proportional and necessary for the stated read-only operations. It does not request unrelated secrets or config paths. Again, be aware of the mismatch between the provided summary (which listed no required envs) and the actual manifest that requires the token.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system settings. The module creates a singleton client (keeps token in memory) which is normal for performance; there is no persistent storage or system-wide privilege escalation.
Assessment
This skill appears to do exactly what it claims: read Intercom conversations. Before installing, verify you are comfortable providing an Intercom access token and grant the token only the minimum necessary scope (read-only if possible). Confirm the npm dependency (intercom-client) version is acceptable for your security policy and that running npm install is allowed. Also note the registry metadata summary omitted the required env var — rely on the package's clawhub.skill.json / SKILL.md for the correct requirements. If you do not want the agent to call this skill autonomously, you can disable model invocation for the skill in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xn2yz815qyzsbsdqxcxewh81csde

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments