v0.2.0 · live
CAPFRAME
← leaderboard/rank #78
§ serversandboxfindings.v2

HubSpot MCP

npm:@hubspot/mcp-server@0.4.0

Score
D40
Findings
23
Tools
21
Last scan
2026-06-05

Severity breakdown

Critical0
High7
Medium16
Low0
Info0

Worst finding

Tool `hubspot-batch-create-associations` name implies a side effect that is not declared

· hubspot-batch-create-associations

`hubspot-batch-create-associations` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

All 23 findings

  1. high
    Tool `hubspot-batch-create-associations` name implies a side effect that is not declared· hubspot-batch-create-associationsexcessive agency

    `hubspot-batch-create-associations` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  2. high
    Tool `hubspot-batch-create-objects` name implies a side effect that is not declared· hubspot-batch-create-objectsexcessive agency

    `hubspot-batch-create-objects` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  3. high
    Tool `hubspot-batch-update-objects` name implies a side effect that is not declared· hubspot-batch-update-objectsexcessive agency

    `hubspot-batch-update-objects` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  4. high
    Tool `hubspot-create-property` name implies a side effect that is not declared· hubspot-create-propertyexcessive agency

    `hubspot-create-property` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  5. high
    Tool `hubspot-update-property` name implies a side effect that is not declared· hubspot-update-propertyexcessive agency

    `hubspot-update-property` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  6. high
    Tool `hubspot-create-engagement` name implies a side effect that is not declared· hubspot-create-engagementexcessive agency

    `hubspot-create-engagement` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  7. high
    Tool `hubspot-update-engagement` name implies a side effect that is not declared· hubspot-update-engagementexcessive agency

    `hubspot-update-engagement` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  8. medium
    Tool `hubspot-list-objects` accepts unconstrained string input· hubspot-list-objectsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `after`, `objectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `hubspot-search-objects` accepts unconstrained string input· hubspot-search-objectsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `after`, `objectType`, `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `hubspot-batch-create-associations` accepts unconstrained string input· hubspot-batch-create-associationsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `fromObjectType`, `toObjectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `hubspot-get-association-definitions` accepts unconstrained string input· hubspot-get-association-definitionsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `fromObjectType`, `toObjectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `hubspot-list-associations` accepts unconstrained string input· hubspot-list-associationsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `after`, `objectId`, `objectType`, `toObjectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `hubspot-batch-create-objects` accepts unconstrained string input· hubspot-batch-create-objectsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `objectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  14. medium
    Tool `hubspot-batch-update-objects` accepts unconstrained string input· hubspot-batch-update-objectsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `objectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `hubspot-batch-read-objects` accepts unconstrained string input· hubspot-batch-read-objectsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `objectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `hubspot-list-properties` accepts unconstrained string input· hubspot-list-propertiesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `objectType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `hubspot-get-property` accepts unconstrained string input· hubspot-get-propertyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `objectType`, `propertyName`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `hubspot-create-property` accepts unconstrained string input· hubspot-create-propertyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `calculationFormula`, `description`, `fieldType`, `groupName`, `label`, `name`, `objectType`, `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `hubspot-update-property` accepts unconstrained string input· hubspot-update-propertyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `calculationFormula`, `description`, `fieldType`, `groupName`, `label`, `objectType`, `propertyName`, `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `hubspot-create-engagement` accepts unconstrained string input· hubspot-create-engagementunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `hubspot-get-link` accepts unconstrained string input· hubspot-get-linkunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `portalId`, `uiDomain`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  22. medium
    Tool `hubspot-list-workflows` accepts unconstrained string input· hubspot-list-workflowsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `after`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  23. medium
    Tool `hubspot-get-workflow` accepts unconstrained string input· hubspot-get-workflowunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `flowId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.