hubspot-automation
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It processes data from HubSpot CRM objects like tickets and contacts, which can contain content from untrusted external actors. Combined with its write capabilities, this allows for potential automated exploitation. * Evidence Chain: (1) Ingestion points: search and read tools in SKILL.md (Workflows 1-4). (2) Boundary markers: Absent; no delimiters or instructions to ignore embedded commands are provided. (3) Capability inventory: tools like HUBSPOT_CREATE_CONTACT, HUBSPOT_UPDATE_COMPANIES, and property creation allow modification of the CRM state. (4) Sanitization: Absent.
- [External Downloads] (HIGH): The skill instructions direct users to connect an unverified external MCP server (https://rube.app/mcp). Since this server is not from a trusted source, it introduces a risk of remote code execution or logic manipulation by the third-party provider.
- [Data Exfiltration] (MEDIUM): By routing sensitive CRM operations through a non-whitelisted third-party domain (rube.app), the skill creates a risk of sensitive data exposure or exfiltration to an untrusted endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata