Salesforce Fast integrations
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Salesforce integration, but it can access and change CRM data, so users should treat credentials, deletes, bulk actions, and automation deployment carefully.
Before installing, connect only a least-privilege Salesforce account, avoid using admin credentials, review any create/update/delete or bulk request before confirming it, and test automation deployment in a sandbox before activating anything in production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act in Salesforce with the permissions of the connected user or integration account.
The skill can retrieve and use a Salesforce access token from the local Salesforce CLI-authenticated org. This is purpose-aligned and bounded to Salesforce CLI org access, but it is still sensitive delegated account authority.
access_token = org.get("accessToken", "") ... os.environ["SALESFORCE_ACCESS_TOKEN"] = access_tokenUse a dedicated least-privilege Salesforce integration user or org alias, avoid admin tokens, and disconnect or rotate tokens if you stop using the skill.
Approved actions could create, update, or delete Salesforce Leads, Contacts, Accounts, Opportunities, or Tasks.
The skill includes Salesforce mutation and deletion tools. The code shows confirmation gating and an object allowlist, making this expected for the stated CRM-management purpose, but users should still notice the business-data impact.
def delete_record(object_type: str, record_id: str, confirmed: bool = False) ... "Deleting {object_type} {record_id} requires confirmation. Set confirmed=True to proceed."Confirm write, delete, and bulk operations explicitly; review record IDs and field changes before approving them.
If approved and later activated in Salesforce, automation could affect future Lead, Contact, or Account records across the org.
The automation module can make persistent org-wide Salesforce configuration changes. The artifact also states that confirmation is required and flows are deployed inactive, so this is a disclosed but important operational risk.
"Deploying Salesforce Flows and Validation Rules is a persistent, org-wide change that will affect all future records."
Test automation in a Salesforce sandbox, review generated flows/rules, and only activate them manually after an admin approves the impact.
Using password-based credentials could give the skill broad access matching that Salesforce user's permissions.
The skill documents an optional username/password/security-token authentication path. This is disclosed and purpose-aligned, but it is more sensitive than scoped OAuth token use.
SALESFORCE_USERNAME=your@email.com SALESFORCE_PASSWORD=<password> SALESFORCE_SECURITY_TOKEN=<security-token>
Prefer OAuth or Salesforce CLI login where possible, and if password credentials are used, store them securely and use a least-privilege account.