ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hubspot Crm

v1.0.0

Gère contacts et deals dans HubSpot CRM pour USC SYNERGY : rechercher, créer, modifier, associer, et suivre le pipeline de ventes.

0· 465·4 current·4 all-time
by@mibbou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md contains curl commands that call api.hubapi.com to search, create, update contacts/deals/notes/tasks — this matches the stated HubSpot CRM purpose. However the registry metadata declares no required credentials while the instructions clearly require HUBSPOT_ACCESS_TOKEN (incoherence between declared requirements and actual instructions).
Instruction Scope
Instructions are narrowly scoped to HubSpot's API (api.hubapi.com) and typical CRM operations. They do not (in the visible portion) request reading arbitrary files, other environment variables, or POSTing to unrelated endpoints. A date command is used to timestamp notes, which is reasonable.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an installation/execution perspective (nothing is written to disk by the skill itself).
!
Credentials
The SKILL.md requires a single credential (HUBSPOT_ACCESS_TOKEN), which is appropriate for HubSpot API access, but the skill's registry metadata did not declare any required env vars or primary credential. That mismatch is concerning because it obscures the fact that a secret must be provided. Confirming the token's required scopes and that only that token is needed would reduce risk.
Persistence & Privilege
The skill is not always-enabled, has no install steps, and does not request persistent system-wide changes. It does reference a default owner ID, which is benign configuration data.
What to consider before installing
This skill's commands look consistent with a HubSpot integration, but the published metadata omits the fact that you must provide HUBSPOT_ACCESS_TOKEN. Before installing: 1) verify the skill source/author (no homepage/source provided) and confirm you trust them; 2) require that the metadata be fixed to list HUBSPOT_ACCESS_TOKEN as a required credential; 3) if you proceed, supply a HubSpot token with the minimum scopes needed (read/write contacts/deals only), not a broad admin token; 4) review the full SKILL.md (the provided snippet was truncated) to ensure there are no hidden or unrelated network calls; 5) consider creating a dedicated HubSpot API key/app for this integration so you can revoke it easily if needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adntevgzg14rn1x7y1ex18x81qgkp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments