ClawHub
Back to skill
v1.0.0

Omnium Hub CRM

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:25 AM.

Analysis

The skill is mostly consistent with a CRM integration, but it requires a CRM API key and can change business records without clear confirmation or rollback safeguards.

GuidanceReview this before installing if the API key can change real CRM data. Use a limited, revocable key, verify the LeadConnectorHQ endpoint is correct for Omnium Hub, and require the agent to confirm exact create/update actions before running them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/omnium_client.py
contacts_parser.add_argument("--action", choices=["lookup", "create", "update"], required=True) ... resp = requests.post(url, headers=headers, json=payload) ... resp = requests.put(f"{url}/{args.contact_id}", headers=headers, json=payload)

The tool can create and update CRM contacts, and the script also supports creating opportunities. These are business-data mutations, but the artifacts do not require a confirmation step, dry run, or rollback process before changes are made.

User impactIf invoked with a valid API key, the agent could create or alter CRM records, and mistakes may affect customer or sales data.
RecommendationRequire explicit user confirmation before create or update actions, show the exact proposed change first, and use API keys with the minimum CRM permissions needed.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
scripts/omnium_client.py
BASE_URL = "https://services.leadconnectorhq.com"

The skill is branded as Omnium Hub CRM, while the code sends API requests to a LeadConnectorHQ domain. This may be the legitimate backend, but the SKILL.md text does not explain that relationship.

User impactA user may not realize their CRM API key and CRM data are being sent to this specific external service endpoint.
RecommendationConfirm that Omnium Hub uses this LeadConnectorHQ API endpoint and disclose the backend domain clearly in the skill instructions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
To use this skill, you need an **Omnium Hub API Key**. ... Once provided, use it in the scripts below. ... python3 scripts/omnium_client.py --api-key "YOUR_KEY"

The skill asks the user for a bearer-style CRM credential and passes it to the script. This is expected for CRM access, but it is sensitive delegated authority and the registry metadata lists no primary credential.

User impactAnyone or any agent action using that key may be able to read or modify CRM data within the key's scope.
RecommendationUse a scoped, revocable API key; avoid pasting long-lived admin tokens; prefer secret/env handling over command-line arguments when possible.