v1.0.2

Helpscout

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

This HelpScout skill should be reviewed carefully because it is described as fetching inbox messages but also contains and documents actions that can modify support conversations.

GuidanceBefore installing, treat this as a write-capable HelpScout integration, not just a fetcher. Use least-privilege credentials, verify the implementation enforces your intended inbox IDs, and require explicit human confirmation before creating notes, sending replies, or closing conversations.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

metadata

Description: Fetches messages from specific Helpscout inboxes

The public summary frames the skill as read-only and inbox-scoped, while the provided SKILL.md and code include HelpScout write capabilities such as creating notes and documenting customer-visible replies.

User impactA user may install it expecting only message fetching, but the skill can affect HelpScout support records.

RecommendationUpdate the public description and capability metadata to clearly state all write actions, or separate read-only fetching from write-capable support actions.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

// Send a customer-visible reply (will send email) ... status: 'closed'

The usage documentation includes actions that can email customers and close conversations, but the artifacts do not define an explicit approval or rollback process for those high-impact actions.

User impactIf used as documented, the skill could send customer-facing messages or change ticket status in HelpScout.

RecommendationRequire explicit user confirmation before any reply, note, or status change, and make write actions clearly opt-in.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/sendReply.js

fetch(`https://api.helpscout.net/v2/conversations/${conversationId}/notes`, { method: 'POST' ... }); ... module.exports = { /* sendReply ,*/ createNote };

The exported createNote function can POST to a HelpScout conversation by arbitrary conversationId and does not check that the conversation belongs to the configured INBOX_IDS.

User impactThe skill can modify any HelpScout conversation accessible to the configured credentials, not just the configured inboxes.

RecommendationValidate conversation IDs against the configured inbox list before writing, and document the allowed mutation scope.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

index.js

inboxIds.map(inboxId => fetchConversations(inboxId, options))

The fetchConversations implementation is defined to take a single object containing inboxId, so this call shape does not reliably pass the configured inbox ID boundary into the request.

User impactThe intended restriction to specific configured inboxes may not be applied consistently.

RecommendationAlign the documented and implemented function signatures and test that every fetch/write path enforces INBOX_IDS.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

config.schema.json

"API_KEY": { "description": "Your Helpscout API Key", "required": true, "sensitive": true }, "APP_SECRET": { "description": "Your Helpscout App Secret", "required": true, "sensitive": true }

The skill legitimately needs HelpScout credentials, but those credentials are sensitive and are used in a skill that includes write-capable actions.

User impactCompromise or over-scoping of these credentials could expose or modify HelpScout customer support data.

RecommendationUse least-privilege HelpScout app credentials where possible, rotate secrets regularly, and avoid sharing OpenClaw config output.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

- Embed thread data directly in the response

Customer-authored ticket threads are external, potentially sensitive and untrusted content that may enter the agent context.

User impactSupport messages could contain private customer information or instructions that should not be treated as trusted system guidance.

RecommendationTreat fetched HelpScout conversation content as untrusted data and avoid reusing or sharing it outside the intended support task.