Hubspot Suite
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: hubspot-suite Version: 1.2.0 The OpenClaw AgentSkills bundle provides a comprehensive suite for HubSpot API management. All scripts and documentation files (`SKILL.md`, `references/*.md`) are aligned with the stated purpose of interacting with the HubSpot CRM, Marketing, Sales, Service, and CMS APIs. Network calls are exclusively directed to `api.hubapi.com` (or a user-defined `HUBSPOT_BASE_URL` defaulting to it), and the `HUBSPOT_ACCESS_TOKEN` is explicitly required for authentication. While some scripts and documented functions (e.g., `merge-records.sh`, `cleanup_test_data` in `data-quality.md`) perform destructive operations like merging or deleting records, these actions are clearly defined within the context of data management and quality, and are not indicative of malicious intent or unauthorized behavior. There is no evidence of data exfiltration to external endpoints, obfuscation, persistence mechanisms, or prompt injection attempts designed to subvert the agent for harmful purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an over-scoped token is provided, the agent may be able to read or modify large parts of the HubSpot account, including customer records, deals, tickets, automation, and marketing assets.
The documented credential can span many HubSpot read/write and automation areas, which is high-impact authority over CRM, marketing, and reporting data.
Required Scopes ... `crm.objects.contacts.read` / `crm.objects.contacts.write` ... `crm.objects.companies.read` / `crm.objects.companies.write` ... `automation` ... `marketing-email` ... `reports`
Create a dedicated HubSpot private app token with only the scopes needed for the specific task, prefer read-only scopes for reporting, and rotate or remove the token when finished.
A mistaken or overly broad request could create, update, merge, export, or alter many HubSpot records.
The skill exposes a raw HubSpot API helper plus bulk import/export and merge workflows, but the provided instructions do not clearly require user confirmation or scoped dry-runs before high-impact mutations.
`./scripts/hs-api.sh POST /crm/v3/objects/companies ...` and `./scripts/bulk-import.sh [object-type] [csv-file] ... ./scripts/merge-records.sh [object-type] [primary-id] [duplicate-id]`
Use this skill only for specific, reviewed HubSpot tasks; require explicit approval before imports, merges, deletes, workflow changes, or bulk updates.
Running the scripts can make HubSpot API calls using the provided token and may read or write local CSV/report files.
The skill directs users to execute local shell scripts. This is expected for the helper workflow, but it is still local code execution.
All scripts are in `scripts/` directory. Make executable first: `chmod +x scripts/*.sh`
Inspect the scripts and run them from a trusted directory with a least-privilege HubSpot token.