Quarterly Database Cleanup

This skill appears to be a valid plan for a HubSpot CRM audit, but there are missing and vague pieces you should clarify before installing or running it: - Metadata mismatch: The SKILL.md says a HubSpot API token (in .env) and Python hubspot client are required, but the registry metadata declares no credentials or binaries. Ask the author to add a required env var (e.g., HUBSPOT_API_TOKEN) and any required binaries to the metadata. - Limit credential scope: If you proceed, provide a HubSpot API token that is scoped to read-only audit operations (not full write/admin access) and avoid placing other secrets in the same .env file. - Confirm /hubspot-audit: The instructions reference running '/hubspot-audit' and 'reuse audit script patterns' but no script is included. Confirm whether this is an existing internal CLI or a placeholder; get the concrete commands or scripts you'd run so you can review them first. - Files and secrets: The skill tells the agent to read reports/ and .env. Review what lives in those locations before running the audit to avoid accidental disclosure of unrelated secrets. Consider copying only the needed HubSpot token into a minimal env file for the audit. - Logging and output: Ensure reports do not inadvertently include sensitive raw contact data (PII) if you plan to store or share them. If the author updates the metadata to declare the HubSpot credential and documents the exact commands or scripts to run (or includes vetted scripts), this would reduce the concerns and could be considered benign. Until then, treat it cautiously and do not supply broad credentials or let it run autonomously without human review.