MCP Vendor Intelligence
First-PartyFirst-PartyWraps HubSpot

@hubspot/mcp-server

by HubSpot, Inc.v0.4.0

HubSpot's first-party MCP is the official option for letting an LLM agent operate against your HubSpot CRM, with 21 tools spanning objects, properties, associations, engagements, workflows, and UI link generation. The most important caveat is an undocumented `BASE_URL_OVERRIDE` environment variable: when set, it silently redirects every authenticated API call to an arbitrary host of the buyer's — or attacker's — choosing, with no startup warning, no logging, and no entry in the README. The package has been stagnant since beta launch (11 months, no patches) and ships no SECURITY.md or responsible-disclosure channel. Treat this as a usable but under-disclosed first-party option: if you control the host environment tightly, the redirect risk is theoretical; if not, this MCP can be silently weaponized by anything that can write to the process's environment.

7 findings8 BTI-M codes
Max severity (buyer-facing)
HIGH

How To Read This Profile

BLACKOUT performed static analysis of the published npm package and supporting documentation, classified each behavior using our BTI-M (Behavioral Threat Intelligence — MCP runtime) taxonomy, and recorded findings with severity calibrated from a buyer's perspective. Anomalies below the findings list are hygiene observations that may not directly affect security but contribute to the overall trust posture.

Overview

What This MCP Does

Who built it. HubSpot, Inc. — the publicly-traded CRM and marketing automation vendor. Published as @hubspot/mcp-server on npm, currently in beta (version 0.4.0). The package is subject to HubSpot's Early Adopter Program legal terms.

What it does. Lets an LLM agent read, search, create, and update objects in your HubSpot CRM (contacts, companies, deals, tickets), manage associations between them, log engagements (calls, emails, notes, tasks), retrieve workflow definitions, and generate links into the HubSpot UI. 21 tools total, spanning OAuth, Objects, Properties, Associations, Engagements, Workflows, and Links categories.

What it collects. A HubSpot Private App access token, supplied via the PRIVATE_APP_ACCESS_TOKEN environment variable. The token is read at startup and used to authenticate every outbound HubSpot API call.

What it stores. Nothing on disk by default. The token is held in process memory only. However, the package auto-loads any .env file it finds in the current working directory via dotenv/config, which expands the surface for misconfigured environments (see findings).

Where data goes. By default, HubSpot's API at https://api.hubapi.com. The destination is configurable via an undocumented BASE_URL_OVERRIDE environment variable — if set, every API call (including authenticated ones with your token) is redirected to that URL. This is the primary disclosure gap in the package: a silent redirect vector that the README doesn't mention.

Findings

7 Findings

8 BTI-M CODES

Each finding maps to one or more BTI-M codes. Buyer-facing severity reflects how a reasonable buyer should weigh the issue when deciding whether to deploy this MCP. Code review severity (when shown separately) is the analyst's view of the underlying defect or design choice.

Pattern 7BTI-M14MCP-S-HUBSPOT-007

Same env-var-override pattern recurs in HubSpot's other developer tooling

MEDIUM

The BASE_URL_OVERRIDE pattern observed in this package recurs in HubSpot's broader developer tooling — multiple HubSpot-published packages support a similar undocumented URL override variable. Cited as a cross-package pattern because it indicates the omission is a HubSpot-wide design choice rather than a per-package oversight.

Evidence (2 references)
  • @hubspot/mcp-server@0.4.0 (this server): process.env.BASE_URL_OVERRIDE at dist/utils/client.js:7 — redirects API base URL; not documented in README
    • @hubspot/local-dev-lib@5.6.0: process.env.HUBAPI_DOMAIN_OVERRIDE at lib/urls.js:11 — redirects HubSpot API domain; not documented in README
    • @hubspot/api-client@13.5.0 (flagship SDK, 2,779 source files): zero process.env.* reads of any kind — explicit conf.baseServer parameter only
    • @hubspot/cli@8.6.0: 30 process.env.* reads, none of them URL overrides
Finding 1BTI-M01MCP-S-HUBSPOT-001

Undocumented `BASE_URL_OVERRIDE` env var silently redirects every API call to an arbitrary host

HIGH

When the BASE_URL_OVERRIDE environment variable is set, the package replaces HubSpot's API URL with whatever value the variable contains, then sends your access token plus every authenticated API call to that destination — including payloads containing CRM data. There's no startup banner, no logging of the override, no entry in the README documenting the variable. The behavior is intentional (it's used for HubSpot's own internal testing) but the disclosure gap is real: any process that can write to the MCP server's environment can silently route your CRM through itself.

Evidence (5 references)
  • dist/utils/client.js:7this.baseUrl = process.env.BASE_URL_OVERRIDE || 'https://api.hubspot.com';
    • dist/utils/client.js:24let url = ${this.baseUrl}${path}; (every API request inherits baseUrl)
    • dist/utils/client.js:34Authorization: Bearer ${this.accessToken} (token attached to every request, including those routed via BASE_URL_OVERRIDE)
    • dist/tools/oauth/getUserDetailsTool.js:53-55 — POSTs the access token in the request body as tokenKey to /oauth/v2/private-apps/get/access-token-info. If BASE_URL_OVERRIDE is set, the access token is exfiltrated as a body parameter, not just as a header.
    • dist/index.js:2import 'dotenv/config'; — reads any .env file in the working directory at startup. A .env file containing BASE_URL_OVERRIDE=... is silently honored.
    • BASE_URL_OVERRIDE is not mentioned in README.md, package.json, or anywhere else in the published artifact. Verified by full-text search.
Also cites:BTI-M06BTI-M12
Finding 2BTI-M09cMCP-S-HUBSPOT-002

Public source repository is empty despite the package shipping with an MIT license

MEDIUM

HubSpot's mcp-server package is published with an MIT license, which implies the source code is publicly readable. The repository URL declared in package.json resolves, but the code that actually ships in the npm package isn't there. Buyers who try to audit the source against the published binary, or to file an issue against the open-source community, find an empty repo. The code is auditable from the npm tarball itself, but the open-source posture implied by the license isn't backed by an active public repo.

Evidence (0 references)
  • package.json — license declared as MIT; no repository field declared.
    • https://github.com/HubSpot/mcp-server — repository exists but the page reads "This repository is empty." 4 stars, 0 forks, 5 open issues, last activity 2025-04-25.
    • npm tarball ships a compiled dist/ directory only. There is no public source, no public PR history, no public commit log.
Also cites:BTI-X12
Finding 3BTI-X04MCP-S-HUBSPOT-003

Package description on npm understates what the MCP actually does

LOW

The npm package description text reads as if the MCP exposes a narrow surface, but the actual tool set is broad — full CRUD across CRM objects, full engagement logging, workflow inspection, UI link generation. Buyers evaluating the MCP from npm metadata alone may underestimate the scope of permissions the access token will need.

Evidence (2 references)
  • package.json:4"description": "MCP Server for developers building HubSpot Apps"
    • README.md:3 describes a CRM-data MCP. Tools registered in dist/tools/toolsRegistry.js are CRM-data operations (objects, properties, associations, engagements, workflows). Zero tools relate to HubSpot App development (no create_app, deploy_app, manage_components, etc.).
Finding 4BTI-M10MCP-S-HUBSPOT-004

Beta version has been current for 11 months with no patches and no CHANGELOG

MEDIUM

The package was released as version 0.4.0 in beta and hasn't been updated since. There's no CHANGELOG describing intended next steps, no public issue tracker showing roadmap, and no statement from HubSpot about beta-to-GA timing. Buyers deploying this in production should treat it as a frozen artifact rather than an actively maintained one.

Evidence (0 references)
  • npm view @hubspot/mcp-server time — v0.4.0 published 2025-06-18; no later versions as of 2026-05-06.
    • No CHANGELOG.md in the published tarball.
    • No .changeset/ directory (despite package.json declaring @changesets/cli as a devDependency and including changeset:version / changeset:publish scripts — implying changesets are used internally but the markdown changesets aren't shipped).
    • README still labels the product "beta" and references the Early Adopter Program.
Finding 5BTI-X12MCP-S-HUBSPOT-005

No SECURITY.md, no responsible-disclosure channel for a beta product holding CRM credentials

MEDIUM

The package ships with no SECURITY.md file, no documented vulnerability-disclosure process, and no contact path for security researchers who find issues. For a publicly-traded vendor's beta product that handles authenticated CRM credentials, this is a hygiene gap that buyers in regulated industries should weigh.

Evidence (0 references)
  • No SECURITY.md in the npm tarball.
    • No SECURITY.md referenced in README.
    • No mention of HubSpot's bug bounty (which exists at bugcrowd.com/hubspot) in the package or README.
Finding 6BTI-M12MCP-S-HUBSPOT-006

Auto-loads `.env` from the working directory, increasing the redirect attack surface

LOW

The package starts with dotenv/config imported, which silently reads any .env file in the current working directory and merges its contents into the process environment. Combined with the undocumented BASE_URL_OVERRIDE variable (Finding 1), this means a malicious or misconfigured .env file in the buyer's working directory can silently redirect every API call to an arbitrary host without the buyer ever explicitly setting any environment variable.

Evidence (2 references)
  • dist/index.js:2import 'dotenv/config';
    • package.json:18"dotenv": "^16.5.0"
    • README's example install configurations (Claude Desktop / Cursor / etc.) instruct users to set PRIVATE_APP_ACCESS_TOKEN in the MCP client's env: block — i.e., in the MCP client's config, not in a .env file. README never mentions .env files. But the server reads them anyway.
Also cites:BTI-M01BTI-M06
BTI-M Code Index

Codes Cited In This Profile

Each link goes to the BTI-M code reference page where you can see every MCP server in the corpus that triggered the same code.