Query and manage HubSpot CRM data via the HubSpot API. Use when you need to search or manage contacts, companies, deals, tickets, or pipelines. Supports crea...
Security Analysis
medium confidenceThe skill's requests, instructions, and bundled script align with its stated purpose of calling HubSpot's API using a private app token; nothing in the package appears disproportionate or unrelated to that goal.
Name and description state direct HubSpot API access and the package requires python3 plus a HUBSPOT_TOKEN — both are expected for a simple CLI tool that calls api.hubapi.com.
SKILL.md instructs creating a HubSpot private app, setting HUBSPOT_TOKEN, and running the included Python script. The instructions do not ask the agent to read unrelated files or transmit data to other endpoints; they target only api.hubapi.com.
No install spec (instruction-only) and the code uses only Python standard library; nothing is downloaded or written to disk outside the included script.
Only HUBSPOT_TOKEN is required and declared as the primary credential. That token is necessary for all described operations (read/write on CRM objects) and the scope list in the README matches the operations.
The skill does not request always:true or any system-wide changes. It's user-invocable and does not claim persistent elevated privileges.
Guidance
This skill is coherent: it needs your HubSpot private-app token and uses python3 to call api.hubapi.com. Before installing, ensure you: (1) create a HubSpot private app with only the minimum scopes you need, (2) treat the HUBSPOT_TOKEN as a sensitive secret and only supply it to skills you trust, (3) review the full script locally (the provided listing was truncated in the prompt) to confirm there are no unexpected network calls or data exfiltration, and (4) consider using a token with limited write scopes or a token you can rotate if you're concerned.
Latest Release
v1.0.1
Update display name to Native HubSpot
More by @codeninja23
Published by @codeninja23 on ClawHub
