ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HubSpot CRM

v1.0.0

Full HubSpot CRM automation — contacts, deals, companies, activities, and pipeline reports via the HubSpot API.

0· 72·0 current·0 all-time
by@fr3kstyle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the Python CLI implements contacts, deals, companies, activities and reports via the HubSpot API, which legitimately requires a HubSpot API token. However, the registry metadata lists no required environment variables or primary credential even though both SKILL.md and the script require HUBSPOT_API_KEY. That metadata mismatch is an incoherence.
Instruction Scope
SKILL.md instructs only to set HUBSPOT_API_KEY and to run the provided CLI commands. The instructions stay inside the stated purpose and reference only HubSpot API usage. They do not instruct reading unrelated files, scanning system state, or sending data to external endpoints other than api.hubapi.com.
Install Mechanism
No install spec (instruction-only with a bundled script). This is low-risk — nothing is downloaded or installed automatically by the skill bundle. The script requires the 'requests' Python package, which is documented in SKILL.md.
!
Credentials
The code and SKILL.md require a HUBSPOT_API_KEY (a bearer token) with CRM scopes, which is appropriate for the stated functionality. But the registry metadata declares no required env vars or primary credential — that omission is unexpected and reduces transparency. Also provenance is unknown (no source/homepage), increasing risk if the token is provided without verifying the skill's origin.
Persistence & Privilege
The skill is not 'always' enabled and does not request elevated platform privileges or modify other skills. It can be invoked by the user and (by default) autonomously, which is the platform norm and acceptable here given the rest of the footprint.
What to consider before installing
This skill's code and README legitimately require a HubSpot private app token (HUBSPOT_API_KEY) and only call api.hubapi.com. However, the registry metadata does not advertise that credential and the package has no listed source or homepage. Before installing, verify the skill's provenance (who published it), confirm you trust that publisher, and ensure you use a least-privilege HubSpot private app token with only the scopes documented. Consider testing in an isolated environment or with a dedicated HubSpot sandbox account/token first. If you need higher assurance, ask the publisher to update registry metadata to declare HUBSPOT_API_KEY as a required credential and to provide a source URL or repository you can audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e90gfyqt61kxawmp8e41jvx83aqek

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments