hubspot
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation explicitly instructs users to pipe a remote shell script to bash for installation:
curl -sSL https://canifi.com/skills/hubspot/install.sh | bash. This is a classic RCE vector where the remote server can change the script content at any time to execute malicious commands. - [EXTERNAL_DOWNLOADS] (HIGH): The skill relies on external scripts and tools from
canifi.com, which is not a trusted source according to security guidelines. This includes both the primary skill installer and a prerequisite tool:curl -sSL https://canifi.com/install.sh | bash. - [COMMAND_EXECUTION] (HIGH): The setup process encourages the use of shell commands to install components and manage environment variables, bypassing standard package management and verification processes.
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill prompts users to store sensitive data including
HUBSPOT_API_KEY,SERVICE_EMAIL, andSERVICE_PASSWORD. While it claims to store these locally viacanifi-env, the insecure installation method of that tool makes the security of these credentials unverifiable.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/hubspot/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata