ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cleanup Workflows

v1.0.0

Audit and remove inactive, test, or deprecated workflows from HubSpot. Identifies workflows that have never enrolled contacts, workflows turned off for 90+ d...

0· 96·0 current·0 all-time
by@tomgranot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tomgranot/cleanup-workflows.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Cleanup Workflows" (tomgranot/cleanup-workflows) from ClawHub.
Skill page: https://clawhub.ai/tomgranot/cleanup-workflows
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cleanup-workflows

ClawHub CLI

Package manager switcher

npx clawhub@latest install cleanup-workflows
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes auditing and deleting HubSpot workflows and the instructions use the HubSpot Workflows API — that aligns with the stated purpose. However, the skill metadata declares no required environment variables or primary credential, while the instructions explicitly require a HubSpot API token in a .env file. This mismatch (a core credential required by the runtime but not declared) is incoherent and should be clarified.
!
Instruction Scope
The instructions tell the agent to read a HubSpot API token from environment (.env / os.getenv) and call api.hubapi.com automation endpoints — those actions are appropriate for the stated task. But the SKILL.md also references installing 'hubspot-api-client' while the example uses requests/os.getenv (and the snippet omits the os import). The doc also instructs deletion of workflows (sensitive write actions) but does not include example safe-delete code, nor does it enumerate required API scopes. These are gaps that increase risk if you run the steps without review.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so there is no installer risk. There is a minor inconsistency: the prereqs say 'hubspot-api-client' installed via 'uv' (likely a typo) even though the shown sample uses requests. No downloads or arbitrary URLs are suggested.
!
Credentials
The runtime requires a HubSpot API token to call/modify workflows, which is expected for the task — but the skill registry lists no required env vars or primary credential. The absence of declared credential requirements in metadata is concerning because it prevents automated permission checks and hides that a high-privilege token is needed. The instructions do not recommend limiting token scopes or using a read-only/test account prior to deletion operations.
Persistence & Privilege
The skill does not request persistent installation, system paths, or 'always' inclusion. It is user-invocable and can be invoked autonomously (the platform default), which is normal; nothing indicates elevated or persistent privileges beyond normal API access.
What to consider before installing
This skill’s instructions legitimately require a HubSpot API token and call HubSpot’s Workflows API, but the skill metadata fails to declare that credential — an important mismatch. Before using or granting any token: (1) verify the author/source (homepage is missing), (2) prefer using a least-privilege or test HubSpot API token (restrict scopes; avoid full-admin tokens), (3) review the exact code you will run (the SKILL.md has small typos/mismatches: mentions hubspot-api-client but example uses requests; 'uv' looks wrong), (4) don't run delete operations until you confirm required API scopes and have backups/documentation, and (5) consider running the audit read-only first to produce a candidate list and only perform deletions after human review. If possible, ask the publisher to update the skill metadata to declare HUBSPOT_API_TOKEN (primaryEnv) and to provide explicit delete code with recommended scopes and safety checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703s9vcmf5mxgtm88tn296rx83nmwv
96downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@tomgranot
latest
Download

Cleanup Workflows

Audit HubSpot workflows to remove dead weight. Unused workflows clutter the automation dashboard and make it harder to understand what is actually running.

Prerequisites

  • HubSpot API token in .env
  • Python with hubspot-api-client installed via uv
  • Note: The Workflows API may return 403 on some plan tiers. If so, audit manually in HubSpot UI under Automation > Workflows.

Step-by-Step Instructions

Stage 1: Before — Inventory All Workflows

Pull all workflows. The Automation API endpoint for workflows:

import requests

headers = {"Authorization": f"Bearer {os.getenv('HUBSPOT_API_TOKEN')}"}
response = requests.get(
    "https://api.hubapi.com/automation/v4/flows",
    headers=headers,
    params={"limit": 100}
)
workflows = response.json()

For each workflow, record: ID, name, enabled status, type, enrollment count, created date, last updated date.

Stage 2: Execute — Identify Candidates for Deletion

Flag workflows matching any of these criteria:

  1. Turned off for 90+ days with no plans to reactivate
  2. Zero enrollments ever (likely test or abandoned drafts)
  3. Test workflows (names containing "test", "temp", "copy of", "draft")
  4. Superseded workflows replaced by newer versions
  5. Error state workflows that have been failing consistently

Before deleting, check:

  • Does the workflow feed into another workflow (via enrollment trigger)?
  • Does the workflow set properties that other workflows depend on?
  • Is there any documentation referencing this workflow?

Stage 3: After — Delete and Document

  1. Turn off workflows first, wait one week, then delete if no issues arise.
  2. Document deleted workflows in a cleanup log (name, purpose, reason for deletion).
  3. Notify workflow owners before deletion.

Stage 4: Rollback

  • Deleted workflows cannot be restored.
  • Before deleting, screenshot or document the workflow logic (triggers, actions, branches) so it can be recreated if needed.
  • HubSpot retains workflow activity history on contact records even after the workflow is deleted.

Tips

  • Use folders in the workflows dashboard to organize by team, purpose, or status.
  • Prefix draft/test workflows with "[TEST]" so they are easy to identify later.
  • Review workflows quarterly as part of the database cleanup routine.

Comments

Loading comments...