Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cleanup Forms
v1.0.0Audit and remove unused, test, or deprecated forms from HubSpot. Identifies forms with zero submissions, forms not embedded on any page, and test forms left...
⭐ 0· 78·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (audit and remove HubSpot forms) matches the actions described in SKILL.md (calling the Forms API, identifying candidates, deleting via API or UI). However, the SKILL.md explicitly requires a HUBSPOT_API_TOKEN and the hubspot-api-client Python package, but the registry metadata declares no required environment variables or dependencies — this mismatch is unexpected and unexplained.
Instruction Scope
Instructions focus on listing forms, flagging candidates, checking references (workflows, embedded pages, pop-ups), and deleting. Checking whether a form is embedded or referenced may require additional HubSpot APIs or manual UI checks; the doc notes plan-level 403s but does not list which extra API scopes/endpoints will be used or how to discover embeddings/reference usage programmatically. Deletion is irreversible in HubSpot, and the instructions correctly recommend exports, but the instructions leave implementation details vague (e.g., how to detect embeddings or workflow triggers).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. The runtime assumes Python and a third-party client library, but the skill does not attempt to install them itself — that is a low install risk but shifts responsibility to the user/agent environment.
Credentials
SKILL.md requires a HUBSPOT_API_TOKEN (stored in .env) and the hubspot-api-client package, but the skill metadata lists no required env vars; this discrepancy is a red flag. The single credential requested by the instructions is proportionate to the task, but the token will likely need broad HubSpot scopes (forms, workflows, CMS/pages, possibly CMS API for embedded checks). The SKILL.md does not enumerate required API scopes or permissions.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system config. Autonomous invocation is allowed by default, which is normal; there is no evidence the skill requests elevated platform privileges.
What to consider before installing
This skill appears to be a plausible HubSpot forms cleanup recipe, but you should not install or run it without clarifying a few things: (1) SKILL.md expects a HUBSPOT_API_TOKEN (via .env) and a Python client library — the registry metadata fails to declare that; confirm the skill's metadata is corrected. (2) Confirm what HubSpot API scopes the token must have (Forms, Workflows, CMS/pages, CTA) because deletion and reference checks may need broad access; use a token with the minimum required scopes and avoid using an admin key unless necessary. (3) The SKILL.md mentions possible 403s on some plans — verify your HubSpot plan/API access before relying on automated deletion. (4) Deletions are irreversible in HubSpot: export form definitions and back up any submission data before deleting. (5) The document has a minor typo ('uv' for installation) — ask the author how they expect you to install dependencies. If you cannot get these clarifications, treat the skill as untrusted and perform the audit manually in HubSpot UI or with your own vetted scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97fq1fs6x05gf3byacmbchjad83mt1v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.