Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Build Smart Lists
v1.0.0Create foundational segmented lists for marketing and sales operations. Includes a master sendable list, ICP-based lists, persona lists, engagement lists, an...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to build core marketing/sales lists (HubSpot). The included script indeed targets HubSpot Lists API v3 and will create dynamic lists — capability aligns with purpose. However the registry metadata declares no required env vars or primary credential while the script requires a HUBSPOT_ACCESS_TOKEN (and may use a .env file). That mismatch (no declared credential but code demanding an API token and admin permissions) is an incoherence.
Instruction Scope
SKILL.md primarily gives step-by-step UI instructions for creating lists and mentions prerequisites (admin rights, other skills). It does not mention the included scripts/execute.py nor that an API token is required to run it. The script automates list creation, reads environment variables, and writes a CSV audit trail — behaviors not documented in SKILL.md, granting broader runtime scope than the written instructions imply.
Install Mechanism
There is no install spec (instruction-only skill), which is low risk. The included script declares Python dependencies (requests, python-dotenv) in header comments but no install step is provided. The script will run only if executed by the agent or user; nothing is downloaded from external URLs. Still, absence of an install spec for required Python packages is an operational gap that can cause surprise failures.
Credentials
The script requires HUBSPOT_ACCESS_TOKEN (and optionally HUBSPOT_TIMEZONE) and loads .env from the parent directory. Requesting a HubSpot API token is proportionate to creating lists, but the skill metadata does not declare these env vars. Loading a .env from ../.env can read credentials outside the skill folder (broader access than documented). The script writes a local CSV audit file (scripts/execute_build_smart_lists.csv), so it will create files in the workspace.
Persistence & Privilege
The skill is not always-enabled, does not request system-level persistence, and does not modify other skills' configuration. It will perform API operations against the user's HubSpot account when run, which is expected for this task.
What to consider before installing
This skill intends to create HubSpot dynamic lists and includes a Python script that will call the HubSpot Lists API and write a local CSV. Before installing or running it: 1) Verify the source/author and review scripts/execute.py line-by-line (it expects HUBSPOT_ACCESS_TOKEN and will load ../.env). 2) Do not supply a high-privilege token unless you trust the code — prefer a scoped service account with only list-management permissions. 3) Back up or snapshot your HubSpot lists/settings before running; the script will create lists in your live portal. 4) Consider adding explicit requires.env metadata (HUBSPOT_ACCESS_TOKEN) to the skill manifest and documenting the .env usage and CSV output. 5) If you’re not comfortable reviewing the code, ask the publisher for a signed source, clearer docs, or run it in a sandbox account first.Like a lobster shell, security has layers — review code before you run it.
latestvk975wat9x0sjgxpyqq0hf920gd83nnr3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.