Safety Report

HubSpot

Name: HubSpot
Rating: 5 (4 reviews)
Author: kwall1

@kwall1

HubSpot CRM and CMS API integration for contacts, companies, deals, owners, and content management.

4,080Downloads

17Installs

4Stars

2Versions

API Integration4,971 CRM & Sales861

Security Analysis

high confidence

Clean0.04 risk

This is an instruction-only HubSpot API skill that requests exactly one HubSpot access token and uses curl/jq to call api.hubapi.com — its requirements and instructions are consistent with its stated purpose.

Feb 16, 20262 files1 concern

Purpose & Capabilityok

Name/description (HubSpot CRM/CMS integration) match what the skill asks for: curl + jq and a HubSpot access token. All declared requirements are directly relevant to calling the HubSpot REST API.

Instruction Scopeok

SKILL.md contains explicit curl examples and endpoint URLs limited to https://api.hubapi.com and uses the declared HUBSPOT_ACCESS_TOKEN. The instructions do not ask the agent to read unrelated files, access other environment variables, or send data to third‑party endpoints.

Install Mechanismok

There is no install spec (instruction-only), so nothing is downloaded or written to disk by the skill itself. This is the lowest-risk install model.

Credentialsnote

The skill requires a single credential (HUBSPOT_ACCESS_TOKEN), which is appropriate for HubSpot API calls. Reminder: the token grants whatever scopes the private app provides, so grant least privilege and rotate/limit the token in HubSpot. No other unrelated credentials or config paths are requested.

Persistence & Privilegeok

always:false and no install steps mean the skill does not request persistent system presence or elevated privileges. It is user-invocable and can be called autonomously by the agent (the platform default), which is expected for skills of this type.

Guidance

This skill is internally consistent with its HubSpot integration purpose, but before installing: (1) verify the GitHub homepage (https://github.com/kwall1/hubspot-skill) matches the SKILL.md you expect since the registry source is listed as unknown; (2) provide a HubSpot Private App token with minimal scopes needed (read vs write) and store it securely; (3) rotate or revoke the token if you stop using the skill; (4) replace placeholders in example commands before running them; and (5) be mindful that an agent can call this skill automatically (normal behavior) — avoid granting unnecessarily broad HubSpot scopes if you do not want the agent to create or modify CRM data.

Latest Release

v1.0.1

Fix security flags: added homepage for provenance, declared curl/jq as required binaries, updated metadata format

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @kwall1 on ClawHub