HubSpot MCP Server — agentic threat model
The HubSpot MCP Server presents a high-risk profile due to its direct read/write access to sensitive CRM data and customer PII, though this risk is partially mitigated by OAuth and private-app token scoping.
OWASP AIVSS score rationale
| Autonomy of Action | 0.50 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP server providing tools rather than the underlying foundation model itself, leaving model-specific vulnerabilities (e.g., prompt injection susceptibility) undefined.
Directly handles sensitive CRM data operations, exposing customer PII, deals, and tickets. This creates a high risk of data exfiltration or unauthorized modification of the system of record.
Exposes powerful tools to search, create, and update CRM objects. Insecure tool integration or malicious tool-use prompts could lead to bulk deletion or corruption of CRM records.
Not certain from the listing — The hosting environment, network isolation, and secure storage of OAuth client secrets or private-app tokens are not detailed in the directory listing.
Not certain from the listing — There is no mention of transaction logging, auditability of tool executions, or real-time guardrails to detect anomalous CRM queries.
Leverages OAuth and private-app token scopes to enforce authorization boundaries, ensuring the MCP server's access is restricted to specified CRM permissions.
Acts as an MCP utility server designed to be called by other agents. This introduces agent-to-agent trust risks, where a compromised orchestrator agent could abuse this server to extract CRM data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).