ClawHub

Crisp Skill

Customer support via Crisp API. Use when the user asks to check, read, search, or respond to Crisp inbox messages. Requires Crisp website ID and plugin token (authenticated via environment variables CRISP_WEBSITE_ID, CRISP_TOKEN_ID, and CRISP_TOKEN_KEY).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.7k · 0 current installs · 0 all-time installs
byMinh Phan (Paul)@paul-phan
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md, and script all describe Crisp inbox operations and use Crisp plugin credentials — that matches the stated purpose. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while both SKILL.md and the script require CRISP_WEBSITE_ID, CRISP_TOKEN_ID, and CRISP_TOKEN_KEY. This metadata omission is an inconsistency that could mislead users or automated guards.
Instruction Scope
The SKILL.md instructs the agent to call Crisp API endpoints (list conversations, get messages, send replies, mark read/resolve). The instructions only reference the Crisp API and the three environment variables; they do not ask the agent to read unrelated files or exfiltrate data to other endpoints. The README warns to store env vars securely and suggests installing 'requests'.
Install Mechanism
There is no install spec (instruction-only), which minimizes risk of arbitrary downloads. The script depends on the Python 'requests' package; the README instructs pip3 install requests. The registry metadata does not declare this dependency, which is a minor inconsistency to be aware of.
!
Credentials
The skill legitimately needs three Crisp credentials (website ID, token id, token key) and requests only those. However, the published metadata failed to list any required environment variables or primary credential — this mismatch is concerning because automated policy checks or users may not realize sensitive tokens are required or used. Also note that the README suggests adding tokens to shell profiles, which can persist secrets in plain text and may be inappropriate for some environments.
Persistence & Privilege
The skill is not always-on and is user-invocable. It does not request system-wide persistence or modify other skills. Autonomous model invocation is allowed (default) but that is the platform norm and is not by itself flagged here.
What to consider before installing
This skill's code and docs match its claimed Crisp inbox functionality and it only needs Crisp plugin credentials, but the registry metadata incorrectly states that no environment variables are required — treat that as a red flag. Before installing: 1) Confirm you trust the skill owner/source (no homepage provided). 2) Verify the full script (the provided listing here was partially truncated) to ensure there are no hidden network calls or logging of secrets. 3) Create a Crisp plugin token with the minimum required scopes and prefer short-lived or revocable tokens; avoid placing tokens in long-lived shell profiles on shared machines. 4) Be aware the CLI can print full API responses (which may include visitor emails, IPs, or other metadata) so avoid running it in logs or screenshots where sensitive data could leak. 5) If you rely on automated policy checks, request that the registry metadata be corrected to declare CRISP_WEBSITE_ID, CRISP_TOKEN_ID, and CRISP_TOKEN_KEY (and the 'requests' dependency) before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977gp39gg3vdmxgpadwbqhwpd8045gw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Crisp Customer Support

Crisp is a customer support platform. Use this skill when the user needs to:

  • Check for new messages in the inbox
  • Read conversation history
  • Search conversations
  • Send replies to customers
  • Check conversation status

Credentials

Crisp requires authentication via HTTP headers with a token identifier and key (Basic Auth), plus the website ID for the API URL.

Set these as environment variables (stored securely, never logged):

  • CRISP_WEBSITE_ID - Your website identifier (e.g., 0f4c...)
  • CRISP_TOKEN_ID - Your Plugin Token Identifier (e.g., e47d...)
  • CRISP_TOKEN_KEY - Your Plugin Token Key (e.g., a7d7...)

Common Workflows

Check Inbox Status

scripts/crisp.py inbox list --page 1

Read Conversation

scripts/crisp.py conversation get <session_id>

Get Messages in Conversation

scripts/crisp.py messages get <session_id>

Send a Reply

scripts/crisp.py message send <session_id> "Your reply text here"

Search Conversations

scripts/crisp.py conversations search "query terms" --filter unresolved --max 10

Mark as Read

scripts/crisp.py conversation read <session_id>

Resolve Conversation

scripts/crisp.py conversation resolve <session_id>

API Reference

Key endpoints used:

  • GET /v1/website/{website_id}/conversations/{page} - List conversations
  • GET /v1/website/{website_id}/conversation/{session_id} - Get conversation details
  • GET /v1/website/{website_id}/conversation/{session_id}/messages - Get messages
  • POST /v1/website/{website_id}/conversation/{session_id}/message - Send message
  • PATCH /v1/website/{website_id}/conversation/{session_id}/read - Mark as read
  • PATCH /v1/website/{website_id}/conversation/{session_id} - Update/resolve

Base URL: https://api.crisp.chat

Notes

  • Always ask before sending customer replies to confirm tone/content
  • Check for meta.email in conversation for customer email
  • Verify CRISP_WEBSITE_ID, CRISP_TOKEN_ID, and CRISP_TOKEN_KEY are set before running commands
  • Use --json flag for script output when parsing programmatically

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…