Hubspot Crm
ReviewAudited by ClawScan on May 10, 2026.
Overview
This HubSpot CRM skill matches its stated purpose, but it requires an undeclared HubSpot access token and exposes persistent CRM write actions without visible approval safeguards in the provided instructions.
Review this skill before installing. It appears purpose-built for HubSpot CRM management, but use only a least-privilege HubSpot token, verify the source, and require the agent to ask before creating or changing contacts, deals, notes, tasks, or pipeline stages.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may give the agent access to read and change HubSpot CRM data even though the metadata does not clearly advertise that credential requirement.
The skill requires a HubSpot bearer token capable of CRM access, but the supplied registry metadata lists no required environment variables and no primary credential, so the account-authority requirement is under-declared.
Configuration requise - Variable d'environnement : `HUBSPOT_ACCESS_TOKEN`
Declare HUBSPOT_ACCESS_TOKEN and the exact required HubSpot scopes in metadata, and use a least-privilege token limited to the intended USC SYNERGY CRM operations.
A mistaken or over-eager agent action could alter contacts, deals, pipeline stages, notes, or associations in the live CRM.
The skill exposes raw HubSpot API write operations that can create or modify business CRM records; the provided artifact text does not show explicit user-confirmation or change-review requirements before those writes.
Mettre à jour un contact ... curl -s -X PATCH "https://api.hubapi.com/crm/v3/objects/contacts/CONTACT_ID" ... Créer un deal ... "https://api.hubapi.com/crm/v3/objects/deals" ... Mettre à jour le stage d'un deal ... -X PATCH
Require explicit user approval before every POST/PATCH/PUT, show the exact object ID and field changes before execution, and prefer constrained helper workflows over raw open-ended API commands.
Users have less context for who authored the instructions and whether they are the intended CRM workflow for USC SYNERGY.
The skill has no published source or homepage link, making it harder to independently verify provenance; there is no code installer here, so this is a provenance note rather than direct evidence of malicious behavior.
Source: unknown Homepage: none
Verify the owner and instructions with the organization before connecting a real HubSpot token.