hubspot

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] Functionally this skill manifest is coherent: it documents a Maton-managed gateway for HubSpot APIs and requires a MATON_API_KEY. There is no direct malicious code in the provided text. The main security concern is architectural: all HubSpot API traffic and OAuth tokens are proxied and managed by Maton (gateway.maton.ai / ctrl.maton.ai / connect.maton.ai). That is consistent with the stated purpose but concentrates sensitive credentials and data with a third party. Use is acceptable only if the operator trusts Maton. No other red flags (obfuscation, hardcoded keys, command execution) were found. LLM verification: The SKILL.md describes a legitimate-seeming HubSpot integration that routes HubSpot API calls and OAuth management through Maton-managed endpoints. There is no code-level malicious behavior or obfuscated payload in the provided document. The main security concern is architectural: user API keys and OAuth tokens are sent to and managed by a third-party service (maton.ai domains). This requires explicit trust in Maton; if an organization cannot trust Maton to handle credentials and data, they shou