Back to skill

Security audit

HubSpot

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward HubSpot helper skill that can read and change HubSpot CRM/CMS data when given a valid HubSpot token.

Install only if you intend to let an agent use a HubSpot private app token. Use a least-privilege token, prefer a sandbox or test records during setup, and explicitly confirm any create, update, owner assignment, or association change before running it against production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes create/update operations against live HubSpot CRM objects without any warning, confirmation guidance, or recommendation to use test/sandbox data first. In an agent context, this increases the chance of accidental modification of production contacts, deals, and ownership assignments, which can corrupt business records or trigger downstream workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.