hubspot-integration
Integrates HubSpot CRM with expert patterns for OAuth, CRUD operations, and webhooks using Node.js and Python SDKs.
Install this skill
Security score
The hubspot-integration skill was audited on May 12, 2026 and we found 33 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 554 | console.log(`Unhandled event: ${subscriptionType}`); |
Fetch to external URL
| 47 | const response = await fetch("https://api.hubapi.com/oauth/v1/token", { |
Fetch to external URL
| 74 | const response = await fetch("https://api.hubapi.com/oauth/v1/token", { |
Webhook reference - potential data exfiltration
| 4 | authentication, CRM objects, associations, batch operations, webhooks, and |
Webhook reference - potential data exfiltration
| 14 | CRM objects, associations, batch operations, webhooks, and custom objects. |
Webhook reference - potential data exfiltration
| 469 | ### Webhook Handling |
Webhook reference - potential data exfiltration
| 480 | // Webhook signature validation |
Webhook reference - potential data exfiltration
| 481 | function validateWebhookSignature( |
Webhook reference - potential data exfiltration
| 495 | // Express webhook handler |
Webhook reference - potential data exfiltration
| 496 | app.post("/webhooks/hubspot", async (req, res) => { |
Webhook reference - potential data exfiltration
| 502 | const isValid = validateWebhookSignature( |
Webhook reference - potential data exfiltration
| 509 | console.error("Invalid webhook signature"); |
Webhook reference - potential data exfiltration
| 516 | console.error("Webhook timestamp too old"); |
Webhook reference - potential data exfiltration
| 525 | await queue.add("hubspot-webhook", event); |
Webhook reference - potential data exfiltration
| 533 | async function processWebhookEvent(event: any) { |
Webhook reference - potential data exfiltration
| 558 | // Webhook subscription types: |
Webhook reference - potential data exfiltration
| 568 | - Max 1000 webhook subscriptions per app |
Webhook reference - potential data exfiltration
| 717 | ### Webhook Requests Must Be Validated |
Webhook reference - potential data exfiltration
| 759 | ### Missing Webhook Signature Validation |
Webhook reference - potential data exfiltration
| 763 | Webhook endpoints must validate HubSpot signatures |
Webhook reference - potential data exfiltration
| 765 | Message: Webhook endpoint without signature validation. Validate X-HubSpot-Signature-v3. |
Access to .env file
| 31 | const CLIENT_ID = process.env.HUBSPOT_CLIENT_ID; |
Access to .env file
| 32 | const CLIENT_SECRET = process.env.HUBSPOT_CLIENT_SECRET; |
Access to .env file
| 33 | const REDIRECT_URI = process.env.HUBSPOT_REDIRECT_URI; |
Access to .env file
| 114 | accessToken: process.env.HUBSPOT_PRIVATE_APP_TOKEN, |
Access to .env file
| 169 | accessToken: process.env.HUBSPOT_TOKEN, |
Access to .env file
| 263 | accessToken: process.env.HUBSPOT_TOKEN, |
Access to .env file
| 360 | accessToken: process.env.HUBSPOT_TOKEN, |
Access to .env file
| 505 | process.env.HUBSPOT_CLIENT_SECRET |
Access to .env file
| 581 | accessToken: process.env.HUBSPOT_TOKEN, |
External URL reference
| 38 | const authUrl = new URL("https://app.hubspot.com/oauth/authorize"); |
External URL reference
| 47 | const response = await fetch("https://api.hubapi.com/oauth/v1/token", { |
External URL reference
| 74 | const response = await fetch("https://api.hubapi.com/oauth/v1/token", { |