ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cleanup Properties

v1.0.0

Archive or delete unused custom properties across all HubSpot object types (contacts, companies, deals). Identifies Salesforce sync properties, test/temp pro...

0· 54·0 current·0 all-time
by@tomgranot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires a HubSpot API token and a Python client to run, but the registry metadata lists no required environment variables or dependencies. That mismatch (credential and dependency needed but not declared) is inconsistent with the stated skill packaging.
Instruction Scope
Instructions are focused on inventorying, archiving, and deleting HubSpot custom properties which aligns with the description. However the runtime steps omit concrete API calls for checking forms/workflows/lists and for counting populated records, contain small code omissions (uses os.getenv but never imports os), and a likely typo ('uv' for installing the hubspot client). The guidance correctly stresses archiving before deletion.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code, so there is no installer risk. The SKILL.md does reference installing a Python package, but no install steps are declared in the registry.
!
Credentials
The instructions require a HUBSPOT_API_TOKEN (not declared in metadata) which would grant access to read and modify CRM data. The skill does not declare required env vars or the expected minimum token scopes (read vs write). That omission prevents assessing whether requested privileges are appropriately limited.
Persistence & Privilege
The skill does not request persistent presence (always: false) and has no install actions that would alter other skills or system-wide settings.
What to consider before installing
This skill's purpose (clean up HubSpot custom properties) is reasonable, but the SKILL.md and the registry metadata disagree: the instructions expect a HUBSPOT_API_TOKEN in a .env file and a Python dependency, yet the skill declares no required environment variables or install steps. Before installing or running it: (1) require that the skill metadata declare HUBSPOT_API_TOKEN and indicate the minimum necessary API scopes (prefer read-only/inventory first, then separate write permission for archival/deletion); (2) fix the SKILL.md typos and make all API calls explicit (including how to check form/workflow/list usage and counts of populated records); (3) run the process in a test/sandbox HubSpot account first and produce a report of candidate properties without deleting anything; (4) enforce an approval workflow (human review) before any archival/deletion and keep detailed logs; and (5) coordinate with Salesforce admins for any hs_salesforce_* properties. Given the credential gap and missing safeguards, treat this skill as suspicious until metadata and instructions are corrected and you confirm token scope and a safe review process.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cswdcjr48t1x5pmym9sz79183nzh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments