ClawHub
Back to skill
v1.0.0

Enrich Company Name

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

The skill is coherent and purpose-aligned, but it should be used deliberately because it can use HubSpot access and bulk-fill a CRM contact field through an ongoing workflow.

GuidanceBefore using this skill, make sure you have a safe HubSpot token, review the workflow filters, preserve a way to roll back incorrect CRM changes, and monitor the after-state audit before relying on the enriched data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Copy FROM: Company > Name ... Copy TO: Contact > Company name ... select **Yes, enroll existing contacts**. This enrolls the entire backlog.

The skill instructs a HubSpot workflow that can update the contact company-name property across the existing CRM backlog.

User impactIf the association logic is wrong, many contact records could receive incorrect company names, affecting segmentation and personalization.
RecommendationConfirm the workflow filters, export or otherwise preserve a rollback path, run the before-state audit, and monitor results after activation.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
The **workflow** handles both backlog (enrolled on activation) AND future contacts automatically. It is the long-term solution.

The recommended workflow is a persistent automation that continues applying the enrichment to future contacts.

User impactThe CRM will keep changing future contact records according to this rule until the workflow is disabled or changed.
RecommendationDocument the workflow owner and purpose, review HubSpot workflow logs after launch, and disable or adjust the workflow if the enrichment is no longer desired.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
scripts/before.py
TOKEN = os.environ["HUBSPOT_ACCESS_TOKEN"]
HEADERS = {
    "Authorization": f"Bearer {TOKEN}",

The audit script requires a HubSpot access token and uses it to call HubSpot CRM APIs.

User impactA HubSpot token with broad scopes can expose or allow changes to CRM data if mishandled, even though the shown scripts only perform read-style audits and local CSV output.
RecommendationUse a least-privilege HubSpot private app token, keep it out of source control, and rotate it if it may have been exposed.