HubSpot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create or update HubSpot contacts, deals, owners, or associations if given the needed token and IDs.
The skill documents direct API calls that can create or modify HubSpot CRM objects. This is aligned with the HubSpot integration purpose, but it is still a user-visible capability because mistaken execution could change business records.
curl -s -X POST ... "https://api.hubapi.com/crm/v3/objects/deals" | jq ... curl -s -X PATCH ... "https://api.hubapi.com/crm/v3/objects/contacts/{contactId}" | jqUse the mutating commands only after confirming the target record and desired changes; test with non-production data when possible.
Anyone or any agent process with this token can act within the HubSpot permissions granted to that private app.
The skill requires a HubSpot private app token, which is expected for HubSpot API access. The artifacts do not show token logging, hardcoding of a real token, or transmission to unrelated endpoints.
Set your HubSpot Private App access token: HUBSPOT_ACCESS_TOKEN=pat-na2-xxxxx ... Authorization header: Bearer $HUBSPOT_ACCESS_TOKEN
Create a dedicated HubSpot private app token with only the scopes needed, avoid sharing it in prompts or logs, and rotate it if exposed.