ClawHub

Salesforce Skill

v0.1.0

Manage Salesforce CRM records via CLI or REST API, including querying, creating, updating, deleting contacts, accounts, opportunities, leads, and cases.

1· 2.1k·1 current·1 all-time
by@lucas-riverbi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement Salesforce management via the official 'sf' CLI and REST API — this matches the skill name/purpose. However the registry metadata claims no required binaries or env vars while SKILL.md metadata and the script clearly expect the 'sf' binary and Salesforce credentials (SALESFORCE_ACCESS_TOKEN and/or interactive/jwt login).
Instruction Scope
Runtime instructions and the helper script stick to Salesforce operations (SOQL queries, create/update/delete records, org management). They reference relevant env vars and use 'sf' and curl for API calls. The instructions do not request unrelated system files or external endpoints beyond Salesforce.
Install Mechanism
There is no formal install spec in the registry package (install-only via SKILL.md suggestions). SKILL.md recommends installing @salesforce/cli via npm or Homebrew — those are normal for this tooling and do not involve obscure download URLs. Because the registry omitted the install spec, users may not be warned that the 'sf' binary is required.
!
Credentials
The SKILL.md and helper script expect credentials and configuration: SALESFORCE_ACCESS_TOKEN (used in REST examples) and SALESFORCE_TARGET_ORG (used by the script), plus interactive or JWT login flows. The registry metadata however lists no required env vars. That mismatch is problematic because the skill will need credentials to function; the missing declarations increase the risk of accidental misconfiguration or hidden credential use.
Persistence & Privilege
The skill does not request 'always: true' and offers no install-time modifications to other skills or system-wide configs. It runs as-invoked and relies on the 'sf' CLI and env vars — standard behavior for a connector script.
What to consider before installing
This skill's code and SKILL.md are consistent with a Salesforce CLI helper, but the registry metadata is incomplete: it fails to declare required binaries ('sf') and expected environment variables (SALESFORCE_ACCESS_TOKEN, SALESFORCE_TARGET_ORG). Before installing: 1) review the included scripts (salesforce-helper.sh) for any commands you don't want run; 2) only provide Salesforce credentials you control and store them securely (prefer OAuth/JWT over plaintext tokens where possible); 3) install the official Salesforce CLI from the vendor (npm or Homebrew) rather than arbitrary downloads; 4) ask the publisher to correct registry metadata so required binaries/env vars are explicit. If you need higher assurance, run the helper script in a test org or sandbox account first and avoid giving production credentials until you're confident in the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vwyh5ped7yst9379mx6snx80566m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments