hubspot-automation

The manifest describes legitimate HubSpot automation capabilities and shows no direct code-level malware patterns (no obfuscation, hardcoded secrets, or remote shells). The primary security concern is supply-chain/trust: the design routes OAuth tokens and all CRM traffic through a managed MCP (example: rube.app/mcp). That centralization significantly raises the risk of credential theft or data exfiltration if the MCP operator is untrusted or compromised. Recommend: verify MCP operator security and privacy policies, require minimal OAuth scopes, enable token lifecycle controls, perform least-privilege role separation for batch operations, and prefer direct HubSpot integration when handling highly sensitive CRM data.