Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Create Segment Lists
v1.0.0Create business segment lists in HubSpot for customers, partners, competitors, employees, ICP tiers, and industries. Enables segment-based targeting, suppres...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md clearly implements HubSpot list creation (consistent with the name/description). However, the skill's registry metadata declares no required environment variables or credentials while the instructions require a HUBSPOT_API_TOKEN in a .env file. That omission is an inconsistency: the skill will need a HubSpot credential but does not declare it.
Instruction Scope
Instructions are primarily limited to creating/verifying HubSpot lists (appropriate). They explicitly require reading a .env file for HUBSPOT_API_TOKEN and using a Python client. The SKILL.md also references running other commands (/create-icp-tiers and /fix-lifecycle-stages) without explaining whether those are other skills or external tools — this expands the actual runtime scope and is ambiguous. No instructions ask to send data to unexpected external endpoints beyond HubSpot.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code, so nothing is written to disk by the skill itself. The SKILL.md recommends Python and `hubspot-api-client`, but no installer is provided. Note: the doc contains a probable typo 'uv' for installation which should be clarified.
Credentials
The runtime instructions require a HubSpot API token (HUBSPOT_API_TOKEN) read from .env, which is reasonable for HubSpot operations. However, the registry metadata does not declare this required credential or any config path. Asking the agent to read a .env file (undisclosed in metadata) increases risk if users expect platform-managed secrets. Recommend declaring the credential and advising use of platform secret storage rather than a local .env file.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and does not modify other skills or global agent settings. It relies on agent invocation and user-provided credentials; no elevated privileges are requested in metadata.
What to consider before installing
This skill appears to do what it claims (create HubSpot lists) but there are important inconsistencies you should address before installing or running it:
- The SKILL.md expects a HubSpot API token (HUBSPOT_API_TOKEN) stored in a .env file, but the skill metadata does not declare any required environment variables. Confirm where/how you must supply the API token and prefer using your platform's secret store instead of a plaintext .env file.
- The instructions require Python and the hubspot-api-client library but provide no install steps; 'uv' in the doc looks like a typo — ask the author to clarify installation steps.
- The doc references other commands (/create-icp-tiers, /fix-lifecycle-stages) without explaining whether those are other skills or scripts. Ask for clarification so you know what additional actions will be invoked.
- Follow least-privilege practices: create a HubSpot token scoped only to lists and read/write operations needed (avoid full account-scoped tokens), and review tokens/workflows that reference lists before deleting anything.
- If you plan to allow autonomous agent invocation, be extra cautious: an agent with network access and an API token can modify HubSpot data. Prefer manual invocation until you confirm the skill's behavior and declare required secrets in the registry.Like a lobster shell, security has layers — review code before you run it.
latestvk975frnevx0ta8n5hzfbytyh5n83mymb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.