@hubspot/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5:     accessToken;
    6:     constructor() {
>>> 7:         this.baseUrl = process.env.BASE_URL_OVERRIDE || 'https://api.hubspot.com';
    8:         // HUBSPOT_ACCESS_TOKEN is kept for backwards compatibility.
    9:         this.accessToken =

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    37:     // Implement the process method
    38:     async process(_args) {
>>> 39:         const accessToken = process.env.PRIVATE_APP_ACCESS_TOKEN || process.env.HUBSPOT_ACCESS_TOKEN;
    40:         if (!accessToken) {
    41:             return {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8:         // HUBSPOT_ACCESS_TOKEN is kept for backwards compatibility.
    9:         this.accessToken =
>>> 10:             process.env.PRIVATE_APP_ACCESS_TOKEN || process.env.HUBSPOT_ACCESS_TOKEN || '';
    11:         if (!this.accessToken) {
    12:             throw new Error('HubSpot access token is required. Set PRIVATE_APP_ACCESS_TOKEN in your environment variables and retry.');

Decoded base64 content: ��^��'��m��-��%��d

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

NPM config access (may contain tokens)

Detected by automated pattern matching (rule DE-008) with medium confidence. May be a false positive.

    21:     "format": "prettier --write \"src/**/*.{js,ts}\"",
    22:     "format:check": "prettier --check \"src/**/*.{js,ts}\"",
>>> 23:     "npm:login": "npm_config_userconfig=~/.npmrc.public_publish bend exec npm login",
    24:     "changeset:version": "npm_config_userconfig=~/.npmrc.public_publish changeset version",
    25:     "changeset:publish": "npm_config_userconfig=~/.npmrc.public_publish changeset publish"

NPM config access (may contain tokens)

Detected by automated pattern matching (rule DE-008) with medium confidence. May be a false positive.

    22:     "format:check": "prettier --check \"src/**/*.{js,ts}\"",
    23:     "npm:login": "npm_config_userconfig=~/.npmrc.public_publish bend exec npm login",
>>> 24:     "changeset:version": "npm_config_userconfig=~/.npmrc.public_publish changeset version",
    25:     "changeset:publish": "npm_config_userconfig=~/.npmrc.public_publish changeset publish"
    26:   },

NPM config access (may contain tokens)

Detected by automated pattern matching (rule DE-008) with medium confidence. May be a false positive.

    23:     "npm:login": "npm_config_userconfig=~/.npmrc.public_publish bend exec npm login",
    24:     "changeset:version": "npm_config_userconfig=~/.npmrc.public_publish changeset version",
>>> 25:     "changeset:publish": "npm_config_userconfig=~/.npmrc.public_publish changeset publish"
    26:   },
    27:   "keywords": [

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    46:         }
    47:         try {
>>> 48:             const response = await fetch(url, requestOptions);
    49:             if (!response.ok) {
    50:                 const errorData = await response.json().catch(() => ({}));

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.