The Agent Skills Directory

PROMPT_INJECTION (HIGH): Indirect Prompt Injection Surface. The skill is designed to ingest data from external CRM providers which are untrusted sources.
Ingestion points: Data enters the agent context through tool calls that retrieve records from HubSpot and Salesforce (e.g., in scripts/connect-direct.js and various success scenarios).
Boundary markers: Absent. There are no delimiters or instructions to the agent to treat external CRM data as untrusted or to ignore embedded instructions.
Capability inventory: The skill provides tools for listing, creating, and modifying records in CRM systems via the Nango API, which allows an attacker-controlled CRM record to potentially influence the agent to perform unintended write operations.
Sanitization: No validation or sanitization of external CRM content is performed before it is presented to the agent.
CREDENTIALS_UNSAFE (HIGH): Insecure credential management and storage.
Evidence: scripts/config-helper.js writes the NANGO_SECRET_KEY in plaintext to a local file at ~/.nango-mcp/credentials.json.
Evidence: scripts/check-auth.js allows passing the secret key as a command-line argument (process.argv[3]), which is an insecure practice as it may be visible in process listings and shell history.
DATA_EXFILTRATION (MEDIUM): Network transmission of credentials.
Evidence: Sensitive authentication tokens are sent as Bearer tokens to https://api.nango.dev in scripts/check-auth.js and scripts/connect-direct.js. While this is the intended service endpoint, the handling of raw secrets by the agent runtime increases the risk of exposure within logs or if the endpoint is misconfigured.

connect-to-nango-mcp