ClawHub

Attio CRM

v1.0.0

Manage Attio CRM records (companies, people, deals, tasks, notes). Search, create, update records and manage deal pipelines.

4· 2k·0 current·0 all-time
by@kesslerio
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (manage Attio CRM) matches the content of SKILL.md and reference docs. However, declared required binary is 'attio' while the README and setup.sh install and configure 'attio-mcp' and use mcporter; this inconsistency suggests the manifest doesn't accurately describe what will actually be used. A legitimate Attio skill might need attio-mcp and mcporter — the mismatch should be resolved.
!
Instruction Scope
SKILL.md runtime instructions are limited to running the attio CLI for CRM operations (expected). But the repository also includes a setup.sh that reads a local .env (if present), prompts for credentials, writes a mcporter server config, and symlinks the skill into ~/.clawdbot/skills. The setup actions go beyond just documentation: they persist credentials and modify user config directories, which is scope-expanding compared to the minimal SKILL.md metadata.
Install Mechanism
There is no platform install spec, but setup.sh will run npm install -g attio-mcp if required. Installing from the public npm registry is a common pattern (moderate risk) — nothing indicates a malicious download URL. Still, setup.sh performs global npm installs and filesystem changes, so run it manually and inspect the package(s) beforehand.
!
Credentials
The skill metadata and registry list only ATTIO_ACCESS_TOKEN as a required env var, but README and setup.sh also require ATTIO_WORKSPACE_ID and the mcporter config stores both. The setup script will prompt for and then write both values into ~/.config/mcporter/servers/attio/config.json in plaintext. Requesting and persisting the workspace ID is reasonable for connecting to Attio, but the manifest should declare it; storing API tokens unencrypted on disk increases exposure.
!
Persistence & Privilege
The skill is not marked 'always', and agent autonomous invocation remains allowed (default). The setup script will create/overwrite ~/.config/mcporter/servers/attio/config.json and symlink the skill into ~/.clawdbot/skills/attio, i.e., it modifies user config and persists credentials. That behavior is plausible for a Moltbot skill but is a privilege that merits caution because it leaves credentials and config on disk.
What to consider before installing
This skill largely does what it claims (Attio CRM workflows) but has a few red flags you should verify before installing: - Manifest vs files mismatch: the declared required binary is 'attio', but setup and docs install/use 'attio-mcp' and mcporter. Confirm which CLI/server the environment needs and that those binaries are trustworthy. - Missing declared env var: README and setup.sh require ATTIO_WORKSPACE_ID in addition to ATTIO_ACCESS_TOKEN. The skill metadata omits the workspace ID — assume the setup will ask for both. - Persistent plaintext credentials: setup.sh writes your ATTIO_ACCESS_TOKEN and WORKSPACE_ID into ~/.config/mcporter/servers/attio/config.json in cleartext. If you install, consider restricting file permissions, using a secrets manager, or avoiding persisting the token. - Installer actions: setup.sh runs npm install -g attio-mcp (global package install), creates directories under your home, and symlinks the skill. Run the script manually (not as root), inspect attio-mcp on npm/GitHub first, and run in a controlled environment if you have doubts. - Source/ownership: registry metadata shows an owner ID and no homepage; the README links to a GitHub repo but the package origin isn't proven by the registry entry. If you need to trust this skill, verify the attio-mcp project and the repository owner directly. If any of the above is unacceptable, do not run setup.sh; instead manually install and configure only the components you trust and keep tokens out of persistent configs where possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk976mfdnz6972yfp6pxwfz823x809p1w
2kdownloads
4stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@kesslerio
latest
Download

Attio CRM

Quick Commands

# Search for records
attio search companies "Acme"
attio search deals "Enterprise"
attio search people "John"

# Get record details by ID
attio get companies "record-uuid"
attio get deals "record-uuid"

# Add a note to a record
attio note companies "record-uuid" "Title" "Note content here"

# List notes on a record
attio notes companies "record-uuid"

# See available fields for a record type
attio fields companies
attio fields deals

# Get select field options (e.g., deal stages)
attio options deals stage

Golden Rules

  1. Discover fields first - Run attio fields <type> before updating records
  2. Check select options - Run attio options <type> <field> for dropdown values
  3. Use internal values - Select fields use internal names, not display labels
  4. When uncertain, use notes - Put unstructured data in notes, not record fields
  5. Format data correctly - Numbers as 85, arrays as ["Value"], booleans as true/false

Workflow Index

Load these references as needed:

  • Company workflows - references/company_workflows.md
  • Deal workflows - references/deal_workflows.md
  • Field guide - references/field_guide.md

Command Reference

CommandDescription
attio search <type> "<query>"Search records
attio get <type> <id>Get record details
attio update <type> <id> record_data='{...}'Update record
attio create <type> record_data='{...}'Create record
attio delete <type> <id>Delete record
attio note <type> <id> "<title>" "<content>"Add note
attio notes <type> <id>List notes
attio fields <type>List available fields
attio options <type> <field>Get select options

Record types: companies, people, deals, tasks

Common Workflows

Look up a company

attio search companies "Acme Corp"

Get deal details

attio get deals "deal-uuid-here"

Add meeting notes to company

attio note companies "company-uuid" "Meeting Notes" "Discussed pricing. Follow up next week."

Check deal stages before updating

attio options deals stage

Update deal stage

attio update deals "deal-uuid" record_data='{"stage":"negotiation"}'

Pipeline Stages

Never hard-code stage names. Always check first:

attio options deals stage

Use the internal value (e.g., negotiation), not the display label (e.g., "Negotiation").

Comments

Loading comments...