hubspot-task-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill's configuration helper (
scripts/config-helper.js) writes sensitive credentials, including thesecret_keyandconnection_id, to a plain text file at~/.nango-mcp/credentials.json. This predictable path and lack of encryption allow any local process to harvest these credentials if the environment is compromised. - [PROMPT_INJECTION] (LOW): The
SKILL.mdfile contains instructions tagged 'CRITICAL - CONTINUOUS EXECUTION' that explicitly command the agent to skip user confirmation and status reporting during multi-step tool execution. This instruction is designed to bypass human-in-the-loop oversight for automated actions.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes external data from HubSpot, creating an attack surface where malicious task content could influence agent behavior.
- Ingestion points: Data returned by
nango-mcp-server_whoamiand various HubSpot task fetching tools referenced inSKILL.md. - Boundary markers: Absent; no delimiters are used to encapsulate external content in the system prompt instructions.
- Capability inventory: File system access via
config-helper.js, network access to Nango's API, and task creation/deletion capabilities. - Sanitization: No input validation or output escaping is performed on data retrieved from HubSpot before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata