square-automation
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to configure an external MCP server at https://rube.app/mcp. This endpoint is managed by an unverified third party (aAAaqwq) and acts as a gateway for high-privilege Square operations, potentially exposing financial data and transaction control to the intermediary.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks from data retrieved via Square APIs.
- Ingestion points: Data is ingested through tools like SQUARE_SEARCH_ORDERS, SQUARE_LIST_PAYMENTS, and SQUARE_GET_INVOICE, which often include attacker-controllable fields such as customer notes, item names, or invoice descriptions.
- Boundary markers: The skill fails to provide delimiters or instructions to the agent to distinguish between its core instructions and the data retrieved from Square.
- Capability inventory: The agent possesses state-changing tools (SQUARE_CANCEL_PAYMENT, SQUARE_UPDATE_ORDER, SQUARE_CANCEL_INVOICE) that could be maliciously triggered if the agent interprets embedded instructions within the processed Square data.
- Sanitization: There is no documentation or implementation of sanitization or validation for the content returned from external API calls.
Audit Metadata