ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipedrive CRM (OpenClaw)

v0.1.0

Manage Pipedrive CRM from OpenClaw using API v1, including people, organizations, deals, leads, activities, notes, pipelines, and custom endpoint actions. Us...

0· 656·2 current·2 all-time
by@danielfoch

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for danielfoch/pipedrive-crm-openclaw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipedrive CRM (OpenClaw)" (danielfoch/pipedrive-crm-openclaw) from ClawHub.
Skill page: https://clawhub.ai/danielfoch/pipedrive-crm-openclaw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipedrive-crm-openclaw

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipedrive-crm-openclaw
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and scripts all consistently implement a Pipedrive API helper (CRUD, search, pipeline movement, raw request passthrough). However the registry metadata lists no primary credential or required environment variables even though the code and documentation clearly expect PIPEDRIVE_API_TOKEN or PIPEDRIVE_ACCESS_TOKEN and PIPEDRIVE_COMPANY_DOMAIN. That metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the scripts limit actions to Pipedrive API calls and setup prompts. Runtime instructions do not direct the agent to read unrelated local files, system credentials, or call external endpoints beyond Pipedrive. Safety rules in SKILL.md explicitly warn not to echo raw tokens.
Install Mechanism
No install spec or third-party downloads; the skill is instruction/code-only and uses only stdlib Python (urllib). No remote installers or archives are fetched.
!
Credentials
The skill legitimately requires secrets (PIPEDRIVE_API_TOKEN or PIPEDRIVE_ACCESS_TOKEN) and PIPEDRIVE_COMPANY_DOMAIN, but the registry metadata declares none and does not set a primary credential. That mismatch reduces transparency and could lead a user to unknowingly provide credentials to an undeclared skill surface. The number and type of env vars requested by the code are proportionate to the stated purpose, but they are not surfaced in the declared requirements.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent config, and runs only when invoked. It does not request elevated or persistent system privileges.
What to consider before installing
This skill appears to be a straightforward Pipedrive API helper: it needs either a PIPEDRIVE_API_TOKEN (query param auth) or a PIPEDRIVE_ACCESS_TOKEN (Bearer OAuth) and the PIPEDRIVE_COMPANY_DOMAIN. Before installing: (1) note the registry metadata currently does NOT declare these required environment variables or a primary credential — that's an information/visibility gap (not necessarily malicious, but unexpected). (2) Only provide a least-privilege API token or an OAuth token with minimal scopes needed for the operations you'll perform. (3) Review the included scripts (pipedrive-api.py and setup-wizard.py) yourself or run them in a safe environment: they only call pipedrive.com endpoints and do not exfiltrate data to any other domain. (4) If you need stronger assurance, ask the publisher to update registry metadata to declare required env vars and a primary credential; if that is corrected and you validate the code, the skill would appear coherent and reasonable.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790pa006bmqx4vn30vz3nxd181fhdr
656downloads
0stars
1versions
Updated 3h ago
v0.1.0
MIT-0
@danielfoch
latest
Download

Pipedrive CRM for OpenClaw

Use this skill to run day-to-day CRM operations in Pipedrive through API calls, including CRUD, search, pipeline movement, activity logging, and any unsupported operation via raw endpoint requests.

Required Environment

Set one authentication mode:

  • PIPEDRIVE_API_TOKEN for API token auth (simplest)
  • PIPEDRIVE_ACCESS_TOKEN for OAuth bearer auth

Set base routing:

  • PIPEDRIVE_COMPANY_DOMAIN (for example: acme for https://acme.pipedrive.com)

Optional:

  • PIPEDRIVE_API_BASE to override full API base URL (defaults to https://<company>.pipedrive.com/api/v1)
  • PIPEDRIVE_TIMEOUT request timeout in seconds (default 30)

Setup

If the user asks to connect or validate credentials:

python3 skills/pipedrive-crm-openclaw/scripts/setup-wizard.py

Primary Script

Run:

python3 skills/pipedrive-crm-openclaw/scripts/pipedrive-api.py <command> [args]

Core commands:

  • test_connection
  • list <entity> [--start N] [--limit N]
  • get <entity> <id>
  • create <entity> <json_payload>
  • update <entity> <id> <json_payload> [--method PUT|PATCH]
  • delete <entity> <id>
  • search <entity> <term> [--limit N] [--fields csv] [--exact-match]
  • move_deal_stage <deal_id> <stage_id> [--status open|won|lost|deleted]
  • add_note <content> [--deal-id ID] [--person-id ID] [--org-id ID] [--lead-id UUID]
  • request <METHOD> <path> [--query '{...}'] [--body '{...}']

Supported entities:

  • persons
  • organizations
  • deals
  • leads
  • activities
  • notes
  • products
  • users
  • pipelines
  • stages

Practical OpenClaw Playbooks

Lead Intake and Qualification

  1. search persons "name or email" to deduplicate.
  2. create persons '{...}' if no match.
  3. create deals '{...}' and link person/org.
  4. add_note "summary" --deal-id <id> to preserve context.

Pipeline Management

  1. list deals with filters through request query.
  2. move_deal_stage <deal_id> <stage_id>.
  3. create activities '{...}' for next follow-up.

Daily Follow-Up Queue

  1. list activities and search persons.
  2. update activities <id> '{"done":1}' after completion.
  3. Log interaction with add_note.

Safety Rules

  • Never print or echo raw tokens in chat output.
  • Read before write when user intent is ambiguous.
  • Validate IDs from API responses before destructive actions.
  • If response is 401 or 403, stop and request corrected credentials/scopes.
  • Use request for endpoints not yet wrapped by helper commands.

References

Load as needed:

  • references/entity-playbooks.md
  • references/pipedrive-v1-notes.md

Comments

Loading comments...