The way our signatures are currently created, they are susceptible to replay attacks. Two requests to the same app for the same data are not unique because all of the input is the same in each request (secret, method, uri, data). That part is currently expected, but it does mean that an eavesdropper could intercept the request and then later on use it to spoof verification. If that eavesdropper makes the exact same request to get data from the app and provides the exact same signature it will be indistinguishable from a HubSpot request.
We're currently working on an updated signature structure that will roll out as a part of some new platform changes. This scheme includes a timestamp component, making the signature more secure. This change is not backwards compatible with our current X-HubSpot-Signature scheme, but we will migrate the CRM Extensions API to this new platform at some point, with a grace period where both schemes are supported. Stay tuned to the Platform Changelog for more details on this.