← Back to Skills Marketplace
Helpscout
by
fabiensebban
· GitHub ↗
· v1.0.2
1925
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install helpscout
Description
Fetches messages from specific Helpscout inboxes
README (SKILL.md)
Helpscout Skill
Description
This skill interacts with Helpscout to fetch conversations from specific inboxes and send replies. It is designed to streamline customer support operations directly from OpenClaw.
Features
- Fetch conversations from multiple Helpscout inboxes
- Send replies to conversations (customer-visible or internal notes)
- Filter by status, folder, assignee, customer, tags, and more
- Sort conversations by various fields
- Embed thread data directly in the response
- Securely authenticate using an API key and App Secret
- Handle potential errors like invalid credentials or network issues gracefully
Setup Instructions
To use this skill, you need to configure Helpscout credentials and specify the IDs of the inboxes you want to fetch conversations from.
1. Retrieve Helpscout API Key & App Secret
- Go to your Helpscout account.
- Navigate to Manage > Apps.
- Create or open your app to retrieve the following details:
- API Key
- App Secret
2. Collect Inbox IDs
- Retrieve the IDs of the inboxes you want to fetch conversations from using Helpscout's API documentation.
3. Save Credentials in OpenClaw
Use the following command to save your Helpscout credentials:
cat ~/.openclaw/openclaw.json | jq '.skills.entries.helpscout = {
enabled: true,
env: {
API_KEY: "your-api-key",
APP_SECRET: "your-app-secret",
INBOX_IDS: ["inbox-id-1", "inbox-id-2"]
}
}' | openclaw gateway config.apply
4. Verify Configuration
To ensure the credentials are properly set, check your configuration:
openclaw gateway config.get
Make sure the helpscout object looks correct (avoid sharing the API_KEY or APP_SECRET).
Usage
Basic Usage
Fetch all active conversations from configured inboxes:
const { fetchAllInboxes } = require('./index.js');
// Fetch all active conversations (default)
const results = await fetchAllInboxes();
Advanced Filtering
const { fetchConversations } = require('./index.js');
// Fetch closed conversations from a specific inbox
const conversations = await fetchConversations(321755, {
status: 'closed',
sortField: 'modifiedAt',
sortOrder: 'desc',
page: 1
});
// Fetch conversations assigned to a specific user
const assigned = await fetchConversations(321755, {
assignedTo: 782728,
status: 'active'
});
// Fetch conversations with a specific tag
const tagged = await fetchConversations(321755, {
tag: 'urgent',
status: 'active'
});
// Fetch conversations with embedded threads
const withThreads = await fetchConversations(321755, {
embed: 'threads',
status: 'active'
});
// Advanced search query
const searched = await fetchConversations(321755, {
query: '(customerEmail:[email protected])',
status: 'all'
});
Sending Replies
const { sendReply } = require('./index.js');
// Send a customer-visible reply (will send email)
await sendReply(3227506031, {
text: 'Hi there,\
\
Thanks for your message!\
\
Best regards,',
inboxId: 321755 // Required to auto-fetch customer ID
});
// Send a reply without emailing the customer (imported)
await sendReply(3227506031, {
text: 'Draft reply - not sent to customer yet',
customerId: 856475517, // Or provide inboxId to auto-fetch
imported: true
});
// Send a reply and close the conversation
await sendReply(3227506031, {
text: 'All done! Let me know if you need anything else.',
inboxId: 321755,
status: 'closed'
});
// Create an internal note
const { createNote } = require('./index.js');
await createNote(3227506031, 'Internal note: Customer called, issue resolved.');
sendReply Options
| Parameter | Type | Description |
|---|---|---|
text |
string | Required. The reply text (HTML supported) |
inboxId |
number | Inbox ID - required if customerId not provided (auto-fetches customer) |
customerId |
number | Customer ID - if not provided, will be auto-fetched using inboxId |
imported |
boolean | Mark as imported (won't email customer). Default: false |
status |
string | Conversation status after reply: active, pending, closed. Optional. |
userId |
number | User ID sending the reply. Optional (defaults to authenticated user). |
createNote
| Parameter | Type | Description |
|---|---|---|
text |
string | Required. The note text (HTML supported) |
Available Options (fetchConversations)
| Parameter | Type | Description |
|---|---|---|
status |
string | Filter by status: active, pending, closed, spam, or all (default: active) |
folderId |
number | Filter by folder ID |
assignedTo |
number | Filter by user ID |
customerId |
number | Filter by customer ID |
number |
number | Filter by conversation number |
modifiedSince |
string | ISO8601 date to filter conversations modified after this date |
sortField |
string | Sort field: createdAt, mailboxId, modifiedAt, number, score, status, subject (default: createdAt) |
sortOrder |
string | Sort order: asc or desc (default: desc) |
tag |
string | Filter by tag name |
query |
string | Advanced search query in fieldId:value format |
embed |
string | Comma-separated list of resources to embed: threads |
page |
number | Page number for pagination (default: 1) |
Security Best Practices
- Never hardcode credentials into your codebase.
- Use OpenClaw's
config.applysystem for securely managing sensitive details. - Avoid sharing sensitive parts of your configuration output (
API_KEYandAPP_SECRET) with others.
Contribution Guidelines
- Ensure compliance with Helpscout's API usage policies.
- Add documentation for any new features added.
Usage Guidance
This skill appears to be a genuine Helpscout integration and asks only for Helpscout credentials (API key, App Secret) and inbox IDs, which is expected. However: (1) the SKILL.md usage examples and the shipped code are inconsistent — functions are called with the wrong argument styles, and the sendReply implementation exists but is not exported (index.js imports sendReply and will receive undefined). These look like implementation bugs, not necessarily malicious, but they mean the skill may fail or behave unexpectedly. (2) Credentials are stored via openclaw gateway config.apply (writes into your OpenClaw config file) — only proceed if you trust this skill and its owner. Recommended steps before enabling with real credentials: - Inspect and/or run the package locally in a sandbox: run npm install and npm test (tests use nock/mock); verify getToken and fetch functions work against the Helpscout API. - Fix or request fixes for the parameter mismatch and the missing export (either update fetchConversations signature or usage, and export sendReply if replying should be permitted). - Provide least-privilege credentials (create a Helpscout API key with minimal scopes) and rotate them after testing. - If you do not trust the anonymous publisher or cannot validate the code, do not add real API_KEY/APP_SECRET to your configuration.
Capability Analysis
Type: OpenClaw Skill
Name: helpscout
Version: 1.0.2
The skill is classified as suspicious due to the `fetchConversations` function in `scripts/fetchConversations.js` directly passing a user-controlled `query` parameter to the Helpscout API via `URLSearchParams`. While the skill itself does not demonstrate malicious intent, this pattern introduces a potential API injection vulnerability if the Helpscout API does not adequately sanitize or validate the `query` input. This could lead to unintended or unauthorized actions on the Helpscout platform. All network calls are to the legitimate Helpscout API, and sensitive credentials are handled securely via `openclaw-config` as defined in `config.schema.json`. Notably, the `sendReply` function, which could send customer-visible emails, is explicitly not exported by `index.js` and `scripts/sendReply.js`, indicating an intentional limitation of the skill's capabilities.
Capability Assessment
Purpose & Capability
Name/description, required env vars (API_KEY, APP_SECRET, INBOX_IDS), and network calls target the Helpscout API — these are proportionate to a Helpscout fetch/reply skill. The package declares standard HTTP libraries (node-fetch/undici) which are expected for API interaction.
Instruction Scope
SKILL.md and usage examples present APIs that do not match the implementation: examples call fetchConversations(inboxId, options) and sendReply(...) but scripts/fetchConversations.js defines fetchConversations with a single destructured object parameter and scripts/sendReply.js implements sendReply but does not export it. index.js attempts to import sendReply from the module (it will be undefined). The SKILL.md also instructs storing secrets in ~/.openclaw/openclaw.json via openclaw gateway config.apply — this is expected for this platform but means secrets will be written to disk (normal for skills, but verify you trust the skill). Overall the runtime instructions are inconsistent with the shipped code and could cause failures or unexpected behavior.
Install Mechanism
This is instruction-only (no install spec) which reduces installation risk. The package includes package.json and package-lock.json showing npm dependencies (node-fetch, undici) — standard for HTTP clients. No remote download URLs or extract steps were observed. Because code files are bundled, an install step would pull standard npm packages (traceable).
Credentials
Requested environment variables (API_KEY, APP_SECRET, INBOX_IDS) are appropriate and necessary for Helpscout API access. No unrelated credentials or config paths are requested. Note: the skill directs users to store those secrets via openclaw gateway config.apply which persists them to the OpenClaw config file; ensure you are comfortable storing credentials there.
Persistence & Privilege
always is false and the skill does not request elevated or cross-skill configuration modifications. It does instruct writing its own credentials into the OpenClaw config (expected behavior). Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal — combine that with other red flags if you are concerned.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install helpscout - After installation, invoke the skill by name or use
/helpscout - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added the ability to send replies to Helpscout conversations, including customer-visible replies and internal notes.
- Updated documentation to reflect support for sending replies and creating notes.
- New script file (sendReply.js) added for handling replies.
- Minor updates to clarify feature set and usage instructions.
v1.0.1
Added support for all List Conversations API parameters (filtering, sorting, pagination)
v1.0.0
Helpscout Skill v1.0.0 – Initial Release
- Fetches conversations from specified Helpscout inboxes.
- Authenticates securely with API key and App Secret.
- Handles errors such as invalid credentials and network issues.
- Includes setup instructions for credential management and configuration in OpenClaw.
- Emphasizes security best practices for sensitive information handling.
Metadata
Frequently Asked Questions
What is Helpscout?
Fetches messages from specific Helpscout inboxes. It is an AI Agent Skill for Claude Code / OpenClaw, with 1925 downloads so far.
How do I install Helpscout?
Run "/install helpscout" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Helpscout free?
Yes, Helpscout is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Helpscout support?
Helpscout is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Helpscout?
It is built and maintained by fabiensebban (@fabiensebban); the current version is v1.0.2.
More Skills