Maverick Hubspot Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-hubspot-mcp Version: 1.0.1 The skill is a legitimate integration for HubSpot CRM via the official HubSpot MCP server (mcp.hubspot.com). The included shell scripts (init-mcporter.sh and invoke.sh) are utility wrappers designed to securely seed and manage OAuth credentials in the local mcporter vault, using best practices like flock for concurrency and environment variables to prevent secret exposure in process lists. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change HubSpot records such as contacts, deals, tickets, activities, or pipeline data.
The skill can mutate business CRM data, but this is disclosed and the instructions require clear user intent before changes.
Write-capable tools can create or update HubSpot CRM records, activities, associations, products, line items, and related pipeline data visible to the connected account. Confirm clear user intent before making changes
Only authorize changes you intend, ask the agent to show the current record and proposed edits first, and review important updates before execution.
The local agent runtime can use the connected HubSpot account according to the OAuth grant, and local vault exposure could expose that access.
The wrapper stores HubSpot OAuth tokens and client information in mcporter's local credential vault so the integration can authenticate.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"},
clientInfo: (
{client_id: env.mcp_client_id}
+ (if env.mcp_client_secret != "" then {client_secret: env.mcp_client_secret} else {} end)Use an appropriately scoped HubSpot app/account, protect the environment variables and mcporter credential vault, and revoke or rotate the OAuth grant if the machine or skill is no longer trusted.
HubSpot MCP server instructions may guide how the agent uses tools during a session.
The skill tells the agent to rely on remote server-published instructions for tool use. That is expected for a hosted MCP pass-through, but it means external provider instructions influence the agent's behavior.
The output includes the server's `Instructions:` field, if published, and a JSON Schema for every tool's parameters. Treat this as the authoritative reference for the rest of the session.
Treat remote tool instructions as tool documentation, not permission to override the user's request or the skill's safety guidance.
The behavior of the integration depends on the installed mcporter package as well as the included wrapper scripts.
The skill depends on installing the mcporter Node package to operate. This dependency is central to the skill and disclosed, but it is still third-party install-time code.
"install": [ { "id": "node", "kind": "node", "package": "mcporter", "bins": ["mcporter"], "label": "Install mcporter (node)" } ]Install from a trusted registry/source and keep mcporter updated according to OpenClaw guidance.