Intercom
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may be able to access or modify Intercom data using the connected account's permissions.
The skill requires delegated Intercom account access through OAuth. This is expected for managing Intercom, but it grants account-level permissions depending on what the user approves.
ClawLink's hosted page runs the hosted OAuth flow — the user clicks through the Intercom login and authorization screen.
Approve only the Intercom scopes and workspace you intend to use, and disconnect the integration from ClawLink or Intercom if it is no longer needed.
If you approve a write, the agent may change Intercom contacts, conversations, tags, subscriptions, or messaging workflows.
The skill can invoke dynamic ClawLink tools that perform Intercom actions, including writes. The artifact includes a preview-and-confirm control, making the behavior purpose-aligned but still important to review.
For writes or anything marked as requiring confirmation, call `clawlink_preview_tool` first, then confirm with the user. Execute with `clawlink_call_tool`.
Review tool previews before approving changes, especially for bulk, destructive, or customer-facing actions.
The actual runtime behavior depends on the installed ClawLink plugin and the live ClawLink tool catalog.
The instruction-only skill depends on a separate ClawLink plugin for execution. The install step is disclosed and user-directed, but the plugin is outside the provided skill artifact.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install the plugin only from the expected ClawHub source and review ClawLink's verification/source links if provenance matters to your environment.
Intercom authorization and related tool calls flow through ClawLink rather than directly through local Intercom credentials.
The skill uses ClawLink as a hosted integration gateway for Intercom credentials and tool calls. This data flow is disclosed and central to the purpose, but it means Intercom access is mediated by a third-party service.
ClawLink ... handles hosted connection flows and credentials so you don't need to configure Intercom API access yourself.
Use this only if you trust ClawLink with delegated Intercom access, and follow the instruction not to paste raw credentials into chat.