close-automation
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the configuration of an external MCP server at https://rube.app/mcp. This domain is not on the trusted sources list. Because the MCP server provides the implementation of the CRM tools, the agent depends on unverified third-party code.
- [DATA_EXFILTRATION] (LOW): The skill accesses sensitive CRM data, including lead information and communication logs (SMS and calls). This data is routed through the Rube MCP infrastructure, representing a data exposure surface.
- [PROMPT_INJECTION] (LOW): The skill has an indirect prompt injection surface. (1) Ingestion points: Data is read from Close CRM via tools like CLOSE_GET_NOTE. (2) Boundary markers: No instructions or delimiters are provided to isolate CRM data from agent instructions. (3) Capability inventory: The skill can send outbound messages (CLOSE_CREATE_SMS) and delete records (CLOSE_DELETE_CALL). (4) Sanitization: There is no evidence of sanitization for data retrieved from the CRM.
Audit Metadata