home / skills / openclaw / skills / salesforce-query-openclaw

salesforce-query-openclaw skill

safe

/skills/rikh81/salesforce-query-openclaw

This skill adapts Salesforce queries to your org schema, enabling reliable account contact opportunity workflows with secure Keychain credentials.

npx playbooks add skill openclaw/skills --skill salesforce-query-openclaw

Review the files below or copy the command above to add this skill to your agents.

Files (14)

SKILL.md

4.5 KB

---
name: salesforce-query-openclaw
description: Salesforce querying skill that adapts to each org's schema. Use when hardcoded CRM scripts keep breaking across environments and you need reliable account/contact/opportunity/campaign/activity workflows with secure Keychain credential handling.
metadata:
  {
    "openclaw":
      {
        "homepage": "https://github.com/RikH81/salesforce-query-openclaw-skill",
      },
  }
---

# Salesforce Query (Schema-Adaptive)

Most Salesforce scripts work in one org, then break in the next. This skill was built to fix that.

It discovers your schema first, then runs reusable GTM workflows against what actually exists in your environment.

## Source code

- GitHub: https://github.com/RikH81/salesforce-query-openclaw-skill

## Security model

- Credentials are stored in macOS Keychain (`openclaw.salesforce`)
- No plaintext credential-file fallback
- Supports session-only mode via `--no-save`
- Restricts `SALESFORCE_INSTANCE_URL` to HTTPS Salesforce domains

## 1) Configure credentials

Required variables:
- `SALESFORCE_CLIENT_ID`
- `SALESFORCE_CLIENT_SECRET`
- `SALESFORCE_INSTANCE_URL`

Preferred flow:
1. Create a Salesforce Connected App and dedicated least-privilege integration user.
2. Store secrets in a secure secret manager if possible.
3. Default persistence is macOS Keychain. Plaintext credential-file fallback has been removed.

Credentials can be persisted locally via:

```python
from salesforce_client import save_credentials, check_credentials

ok, missing = check_credentials()
if not ok:
    save_credentials(client_id="...", client_secret="...", instance_url="...")
```

## 2) Run onboarding discovery

Run an end-to-end discovery pass:

```bash
python3 scripts/onboarding.py
```

For session-only credentials (nothing persisted):

```bash
python3 scripts/onboarding.py --no-save
```

If credentials are missing, onboarding prompts for them and saves them before continuing.

If credentials are not ready, run quick setup guidance mode:

```bash
python3 scripts/onboarding.py --guided
```

You can also type `help` at the first credential prompt to show setup guidance inline.

If Python dependency `requests` is missing, onboarding will stop and print explicit setup commands for a local `.venv-salesforce`.

Run a credential safety check any time:

```bash
python3 scripts/credential_doctor.py
```

For automation or CI, pass credentials directly:

```bash
python3 scripts/onboarding.py \
  --client-id "$SALESFORCE_CLIENT_ID" \
  --client-secret "$SALESFORCE_CLIENT_SECRET" \
  --instance-url "$SALESFORCE_INSTANCE_URL" \
  --non-interactive
```

Session-only credentials (no disk persistence):

```bash
python3 scripts/onboarding.py \
  --client-id "$SALESFORCE_CLIENT_ID" \
  --client-secret "$SALESFORCE_CLIENT_SECRET" \
  --instance-url "$SALESFORCE_INSTANCE_URL" \
  --non-interactive --no-save
```

Optional custom output path:

```bash
python3 scripts/onboarding.py --out ~/.config/openclaw/salesforce_profile.json
```

This will:
1. Validate auth.
2. Discover accessible objects.
3. Describe fields on core GTM objects.
4. Detect optional signal packs (intent, revenue, risk, engagement).
5. Generate targeted follow-up questions.
6. Save a reusable profile JSON.

## 3) Ask adaptive follow-ups

Use generated questions from onboarding output, then persist answers in the profile.

Reference question bank:
- `references/question-bank.md`

## 4) Build and use mapping profile

Use `assets/profile-template.json` as the canonical profile format.

Keep uncertain mappings marked as low confidence until user confirms.

## 5) Query patterns

For ready-to-use workflows, use:

```bash
python3 scripts/starter_workflows.py
```

or import functions from `scripts/starter_workflows.py`:
- `top_accounts_to_work_today(...)`
- `pipeline_rescue_board(...)`
- `campaign_followup_opportunities(...)`

Each returns a structured payload with `summary`, `rows`, and `next_best_action` to proactively guide users.

Use `salesforce_client.py` for regular querying:

```python
from salesforce_client import SalesforceClient

sf = SalesforceClient()
accounts = sf.get_account_by_name("Acme")
opps = sf.get_open_opportunities()
```

For schema discovery:

```python
from salesforce_client import SalesforceClient
from schema_discovery import SchemaDiscovery

sf = SalesforceClient()
discovery = SchemaDiscovery(sf)
schema = discovery.discover()
```

## References
- Discovery approach: `references/discovery-playbook.md`
- Follow-up prompts: `references/question-bank.md`
- Security and credential setup: `references/security-setup.md`
- Starter workflow guide: `references/starter-workflows.md`

Overview

This skill provides schema-adaptive Salesforce querying and reusable GTM workflows that run reliably across different orgs. It discovers the target org's objects and fields, builds a mapping profile, and executes account/contact/opportunity/campaign/activity workflows with secure credential handling. The skill uses macOS Keychain by default and supports session-only credential modes for safer automation.

How this skill works

First, the onboarding discovery inspects accessible objects and describes fields for core GTM entities. It generates a profile JSON and adaptive follow-up questions to resolve uncertain mappings. Workflows and query helpers then operate against the discovered schema, returning structured payloads (summary, rows, next_best_action). Credentials are validated and stored securely via the macOS Keychain or run in --no-save session mode.

When to use it

When hardcoded Salesforce scripts fail across multiple orgs or environments.
When you need a repeatable discovery-first approach before running CRM workflows.
When you require secure credential handling without plaintext files.
When automating GTM tasks like pipeline triage, campaign follow-up, or account work queues.
When integrating into CI or automation with non-interactive credential injection.

Best practices

Run the onboarding discovery in each target org to generate an accurate profile before running workflows.
Use a least-privilege connected app and dedicated integration user for authentication.
Keep ambiguous field mappings marked low-confidence and confirm them interactively before persistence.
Use session-only (--no-save) mode for ephemeral runs or CI pipelines to avoid persistent secrets.
Persist the generated profile JSON to reuse discovery results and reduce repeat scanning.

Example use cases

Run starter workflows to produce a daily work list: top_accounts_to_work_today or pipeline_rescue_board.
Discover schema and generate mapping for a newly provisioned Salesforce sandbox.
Automate campaign follow-up by mapping campaign->opportunity links in environments with custom objects.
Validate credential safety and domain restrictions before CI deployments.
Integrate with downstream tools by exporting the profile JSON and structured workflow payloads.

FAQ

How are credentials stored?

By default credentials are stored in the macOS Keychain under a dedicated key; there is no plaintext fallback. You can run in --no-save session mode to avoid persistence.

Can this run in CI or non-interactive environments?

Yes. Pass client ID, client secret, and instance URL as flags or environment variables and include --non-interactive. Use --no-save for session-only credentials.