Hubspot Suite
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate HubSpot helper, but it gives an agent broad power to read, change, import, merge, and delete CRM/marketing data without clear guardrails.
Install only if you intentionally want an agent to help administer HubSpot. Before use, create a dedicated least-privilege HubSpot token, avoid broad write scopes unless needed, and require manual review before bulk imports, merges, deletes, marketing automation changes, or other account-wide actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an over-scoped token is provided, the agent may be able to read or modify large parts of the HubSpot account, including customer records, deals, tickets, automation, and marketing assets.
The documented credential can span many HubSpot read/write and automation areas, which is high-impact authority over CRM, marketing, and reporting data.
Required Scopes ... `crm.objects.contacts.read` / `crm.objects.contacts.write` ... `crm.objects.companies.read` / `crm.objects.companies.write` ... `automation` ... `marketing-email` ... `reports`
Create a dedicated HubSpot private app token with only the scopes needed for the specific task, prefer read-only scopes for reporting, and rotate or remove the token when finished.
A mistaken or overly broad request could create, update, merge, export, or alter many HubSpot records.
The skill exposes a raw HubSpot API helper plus bulk import/export and merge workflows, but the provided instructions do not clearly require user confirmation or scoped dry-runs before high-impact mutations.
`./scripts/hs-api.sh POST /crm/v3/objects/companies ...` and `./scripts/bulk-import.sh [object-type] [csv-file] ... ./scripts/merge-records.sh [object-type] [primary-id] [duplicate-id]`
Use this skill only for specific, reviewed HubSpot tasks; require explicit approval before imports, merges, deletes, workflow changes, or bulk updates.
Running the scripts can make HubSpot API calls using the provided token and may read or write local CSV/report files.
The skill directs users to execute local shell scripts. This is expected for the helper workflow, but it is still local code execution.
All scripts are in `scripts/` directory. Make executable first: `chmod +x scripts/*.sh`
Inspect the scripts and run them from a trusted directory with a least-privilege HubSpot token.