Cleanup Deals

Security checks across malware telemetry and agentic risk

Overview

This HubSpot cleanup skill is instruction-only and purpose-aligned, but it can delete or alter real CRM business records without strong required approval and scoping safeguards.

Review before installing. Use a dedicated least-privilege HubSpot token, require a dry-run export of exact deal and pipeline IDs, get written approval from deal owners or admins before deleting, closing, archiving, or changing stages, and coordinate with Salesforce admins for any synced records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill authorizes broad destructive maintenance actions like deleting deals, closing stale opportunities, and removing pipelines, but it does not define sufficiently precise scope boundaries, approval gates, or exclusion criteria before execution. In a CRM context, this can lead to accidental deletion or modification of legitimate business records, especially when heuristic rules such as names containing 'test' or '$0 and no associated contacts' are used without mandatory human review.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal