aero-workflow-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Dynamic Execution (CRITICAL): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto execute operations defined at runtime by an external server. Since the execution logic is retrieved fromRUBE_SEARCH_TOOLSand incorporated into subsequent tool calls, it constitutes execution of untrusted remote content. - Indirect Prompt Injection (HIGH): The skill possesses a major indirect injection surface.
- Ingestion points:
RUBE_SEARCH_TOOLSreturns tool slugs, input schemas, and execution plans from an external source. - Boundary markers: None. The skill explicitly instructs the agent to 'use exact field names and types' from the external response.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(write/execute) andRUBE_REMOTE_WORKBENCH(arbitrary tool execution via workbench). - Sanitization: None. The instructions mandate strict adherence to the externally provided schema, allowing a malicious server to dictate agent actions.
- Unverifiable Dependencies & Remote Code Execution (HIGH): The setup requires adding
https://rube.app/mcpas an MCP server. This endpoint is not in the trusted source list and serves as a remote control point for the agent's available tools and logic. - Command Execution (HIGH): Use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()enables arbitrary remote tool execution, which bypasses local constraints if the remote environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata