Hubspot Suite
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an over-scoped token is provided, the agent may be able to read or modify large parts of the HubSpot account, including customer records, deals, tickets, automation, and marketing assets.
The documented credential can span many HubSpot read/write and automation areas, which is high-impact authority over CRM, marketing, and reporting data.
Required Scopes ... `crm.objects.contacts.read` / `crm.objects.contacts.write` ... `crm.objects.companies.read` / `crm.objects.companies.write` ... `automation` ... `marketing-email` ... `reports`
Create a dedicated HubSpot private app token with only the scopes needed for the specific task, prefer read-only scopes for reporting, and rotate or remove the token when finished.
A mistaken or overly broad request could create, update, merge, export, or alter many HubSpot records.
The skill exposes a raw HubSpot API helper plus bulk import/export and merge workflows, but the provided instructions do not clearly require user confirmation or scoped dry-runs before high-impact mutations.
`./scripts/hs-api.sh POST /crm/v3/objects/companies ...` and `./scripts/bulk-import.sh [object-type] [csv-file] ... ./scripts/merge-records.sh [object-type] [primary-id] [duplicate-id]`
Use this skill only for specific, reviewed HubSpot tasks; require explicit approval before imports, merges, deletes, workflow changes, or bulk updates.
Running the scripts can make HubSpot API calls using the provided token and may read or write local CSV/report files.
The skill directs users to execute local shell scripts. This is expected for the helper workflow, but it is still local code execution.
All scripts are in `scripts/` directory. Make executable first: `chmod +x scripts/*.sh`
Inspect the scripts and run them from a trusted directory with a least-privilege HubSpot token.