1 Key Risks
The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Breeze agents present a trifecta-complete input surface with moderate blast radius constrained by the absence of code execution and limited infrastructure access on default configuration.
2 AIRQ Scores
The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. The AIRQ composite captures Breeze's overall risk exposure from CRM-scoped agent operations on HubSpot's cloud platform.
Breeze lands in the Tight Operators quadrant with X = 4.80, Y = 3.75, and Z = 8, indicating moderate exposure offset by documented vendor controls.
Attack surface and blast radius are scored out of 10, defense controls out of 15, and the AIRQ composite out of 15.
| Metric | Score | Comments |
|---|---|---|
| AIRQ Score | 4.01 | An AIRQ of 2.93 places Breeze in the lower-risk band, where operator hardening focuses on trifecta-breaking and monitoring gaps. |
| Blast Radius | 3.75 / 10 | Blast radius of 3.75 stays moderate because Breeze lacks code execution, file system access, and infrastructure reach. |
| Attack Surface | 4.8 / 10 | Attack surface of 4.80 reflects trifecta-complete input channels across chat, documents, web browsing, and MCP connections. |
| Defense Controls | 8 / 15 | Defense score of 8 credits vendor-documented model protection and write-tool approval gates while penalizing absent execution isolation and output DLP documentation. |
3 Attack Surface
Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Breeze's reasoning loop ingests natural-language prompts, uploaded documents, web content, CRM records, and MCP payloads as first-class input.
Higher scores indicate more attacker-reachable input surfaces; Breeze maxes at 2 across most axes due to class-level evidence only.
Each row maps a documented input surface to its base score and any evidence-driven penalty adjustment.
| Surface | Score | Comments |
|---|---|---|
| User Input | 2 / 4 | Chat assistant and customer-facing chatbot accept free-form natural language from authenticated users and anonymous visitors [13]. |
| External Data | 2 / 4 | Web browsing fetches arbitrary content and MCP client receives third-party data from Notion, Zapier, and Asana [9]. |
| Memory | 2 / 4 | Knowledge vaults persist uploaded PDFs and CRM segments across sessions with automatic re-indexing on source updates [7]. |
| Reasoning | 2 / 4 | Vendor-selected LLMs process prompts through PurpleLlama filtering, but the model card lists prompt injection as a covered red-teaming area without full remediation [4]. |
| Planning | 2 / 4 | Breeze Studio configures automation triggers that fire agents on CRM workflow events with per-tool approval toggles [6]. |
| Tool Execution | 2 / 4 | Agents call CRM operations, content generation, and web browsing tools but have no shell access or arbitrary code execution [8]. |
| Orchestration | 2 / 4 | Agents run asynchronously in the background without a per-instance stop mechanism, limiting mid-execution intervention [2]. |
| Inter-Agent | 2 / 4 | MCP client extends agents to external systems via OAuth-authenticated remote servers with scoped tool permissions [9]. |
| Output Processing | 1 / 4 | Generated content passes through HubSpot's CMS pipeline and the customer agent displays a Powered by AI label [13]. |
| Configuration | 2 / 4 | Super Admin must enable AI features and the platform API carried an access-control flaw allowing unauthenticated data viewing [1]. |
The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Breeze agents ingest untrusted visitor messages and uploaded documents, access CRM records containing customer PII, and send data outbound through MCP connections and customer chat responses.
HubSpot Breeze exhibits all three of these conditions in its documented default configuration:
- Untrusted input — Customer chat widgets accept anonymous visitor messages and knowledge vaults ingest user-uploaded PDFs containing potentially malicious content [7].
- Sensitive data — Agents access CRM records containing contact PII, deal values, email conversations, and customer conversion data scoped by Super Admin toggles [3].
- External egress — MCP client sends data to external systems, web browsing makes outbound requests, and the customer agent responds to external visitors [9].
4 Blast Radius
The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Breeze agent reaches CRM records, OAuth-scoped external systems, and outbound email but cannot execute code or access operator infrastructure.
Higher blast scores indicate wider damage reach; Breeze peaks at 2 for network, credentials, and autonomous actions.
Each row maps a potential compromise outcome to its score based on documented agent capabilities and integration scopes.
| Factor | Score | Comments |
|---|---|---|
| Code execution | 1 / 4 | Breeze has no shell, sandbox, or code-execution surface; agent operations are limited to CRM and content tools [8]. |
| File system access | 1 / 4 | Knowledge vaults accept document uploads but agents cannot read or write arbitrary files outside the HubSpot platform [7]. |
| Network access | 2 / 4 | Web browsing and MCP client make outbound HTTP requests to external services scoped by admin-configured connections [9]. |
| Credential access | 2 / 4 | OAuth tokens for MCP integrations and API keys for private apps are managed through HubSpot's credential store [5]. |
| Autonomous action | 2 / 4 | Automation-triggered agents execute CRM writes and send outreach emails without per-execution operator approval [6]. |
| Deployment access | 1 / 4 | Breeze cannot reach operator cloud accounts, IaC repositories, or production deployment systems [13]. |
5 Defense Controls
Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. HubSpot documents PurpleLlama input filtering, default-on approval gates, and audit logging while leaving execution isolation and output DLP to operator verification.
Higher defense scores credit stronger vendor-documented safeguards; lower scores flag operator-managed or undocumented controls.
Each component is scored on whether the vendor implements the control by default versus requiring operator configuration.
| Component | Score | Comments |
|---|---|---|
| Input Guardrails | 2 / 3 | PurpleLlama filters inputs and PromptArmor assesses AI vendor risk, but PacketLabs found prompt injection not fully remediated [4]. |
| Execution Isolation | 1 / 3 | Multi-tenant cloud hosting with SOC 2 certification but no documented per-agent sandbox or container isolation [5]. |
| Action Controls | 2 / 3 | Review before running is default-on for write tools and Super Admin gates control AI feature access [6]. |
| Output Guardrails | 1 / 3 | PurpleLlama provides model-level output filtering but no Breeze-specific DLP or credential redaction is documented [3]. |
| Monitoring | 2 / 3 | Centralized audit logging with Audit Log API, security activity export, and email notifications; SIEM forwarding requires operator setup [10]. |
6 Hardening Tips
Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by restricting untrusted input channels and gating autonomous agent actions.
Input Guardrails
Input guardrails intercept adversarial content before it reaches the reasoning loop.
- Policy Require security review of all knowledge vault content before ingestion to limit untrusted document exposure.
- Configuration Restrict MCP client connections to a pre-approved allow-list and disable web browsing for agents that do not require it.
- Engineering Deploy a secondary prompt-injection classifier upstream of the Breeze reasoning loop to catch payloads PurpleLlama misses.
Execution Isolation
Execution isolation contains what a compromised agent can do on the host.
- Policy Establish a dedicated HubSpot portal for high-sensitivity agent workloads to limit cross-tenant blast radius.
- Configuration Disable AI features for non-production portals and restrict Breeze Studio access to a named operator group.
- Engineering Instrument API gateway logs to detect anomalous CRM write patterns from agent sessions and alert on threshold breaches.
Action Controls
Action controls govern which tools and actions the agent can invoke autonomously.
- Policy Require that all automation-triggered agents retain the Review before running toggle for write and action tools [12].
- Configuration Limit Prospecting Agent email send volumes with daily caps and restrict autonomous outreach to pre-approved contact segments.
- Engineering Build a webhook-based approval workflow that intercepts high-impact agent actions and routes them to a human queue.
Output Guardrails
Output guardrails inspect what the agent sends to other systems and users.
- Policy Prohibit agents from surfacing raw CRM field values in customer-facing chat responses without operator-managed redaction rules.
- Configuration Enable content moderation logging for all Customer Agent chat sessions and route flagged responses to a review queue.
- Engineering Deploy a DLP proxy between the agent output pipeline and external channels to scan for credential and PII leakage [11].
Monitoring
Monitoring captures what the agent did and surfaces anomalies for review.
- Policy Mandate weekly review of Breeze agent audit logs with escalation for anomalous action patterns.
- Configuration Forward all audit events to a SIEM via the Audit Log API or Cribl integration and configure alerting rules for bulk mutations.
- Engineering Build a dashboard that correlates agent session traces with CRM change events and flags sessions exceeding baseline volumes.
7 References
The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.
Selected Vulnerabilities
- CVE-2023-37749 NVD CVE 5.3; HubSpot REST API access-control flaw
Selected Research
- Breeze Agents MIT AI Agent Index MIT safety and autonomy assessment; PurpleLlama and PacketLabs pentest and no per-instance stop
Vendor Documentation
- HubSpot AI Trust and Safety Vendor AI trust page; encryption and privacy and zero data retention
- HubSpot AI Model Cards Model cards; Breeze LLMs and red teaming and OWASP Top 10 and PromptArmor
- HubSpot Security Program SOC 2 Type 2 and SOC 3 and PacketLabs pentest and Bugcrowd disclosure
- Breeze Studio documentation Agent customization and tool config and approval workflows and automation triggers
- Knowledge Vaults documentation Persistent context stores; up to 50 vaults and PDF processing and CRM segments
- Breeze Tools documentation Tool types (get data and generate and take action) and Super Admin gates and MCP
- HubSpot MCP Client documentation Remote MCP connections to Notion and Zapier and Asana; OAuth authentication
- HubSpot Audit Logs documentation Audit logging and security activity export and Audit Log API
Other Sources
- HubSpot June 2024 security incident TechCrunch; unauthorized access to fewer than 50 accounts
- HubSpot HackerOne bug bounty Public bug bounty; *.hubspot.com scope and one-month average closure
- Breeze AI Agents product page Agent types and marketplace and Studio customization and edition requirements