ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Merge Duplicate Companies

v1.0.0

Identify duplicate company records by domain and name, export audit CSVs for review, and guide merging. API for discovery, third-party tools or manual UI for...

0· 52·0 current·0 all-time
by@tomgranot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the actual behavior: the script calls the HubSpot API to enumerate companies, finds duplicates by domain/name, and writes CSV audit logs. That functionality is coherent with the stated purpose.
Instruction Scope
The SKILL.md and scripts confine actions to discovery and local CSV export. They only read a .env for HUBSPOT_ACCESS_TOKEN, call api.hubapi.com, and write CSVs under ./data — they do not access unrelated system files or external endpoints beyond HubSpot.
Install Mechanism
There is no install spec in the registry; the script has a comment listing Python dependencies (requests, python-dotenv) and requires Python 3.10+. This is not automatically installed by the platform, so a user must install packages manually. No downloads from unknown URLs or archive extraction are present.
!
Credentials
The code and SKILL.md require a HubSpot access token (HUBSPOT_ACCESS_TOKEN) and a .env file, but the skill metadata/registry declares no required env vars or primary credential. This mismatch is a red flag: the skill will fail without the token, and the registry understates the level of sensitive access required.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not modify other skills or system settings. It writes only CSV audit files under a local data directory. Autonomous invocation is allowed by default but is not independently suspicious here.
Scan Findings in Context
[uses-dotenv] expected: The script loads a .env and reads HUBSPOT_ACCESS_TOKEN; this is expected for an API-discovery script. Still, the required env var is not declared in the registry metadata.
[http-request-to-hubapi] expected: The script makes authenticated requests to https://api.hubapi.com to list companies, which matches the skill's purpose.
What to consider before installing
This skill appears to do what it says (enumerate HubSpot companies and produce CSVs), but the registry metadata incorrectly omits that it requires a HubSpot access token and a Python runtime. Before installing or running: 1) Verify the author/source and prefer a trusted origin. 2) Confirm you need to provide HUBSPOT_ACCESS_TOKEN; only grant the minimal scope required (crm.objects.companies.read) to a private app and avoid using a high-privilege token. 3) Run the script in a safe environment (local or ephemeral container) and inspect the generated CSVs before performing any merges. 4) Because merging is manual and irreversible, back up data or test in a sandbox. 5) Ask the publisher to update registry metadata to declare required env vars and runtime dependencies so the permission surface is clear. If you cannot verify these items, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk970b02xy1v3hzb0h9pzv297ad83mhmz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments