aeroleads-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection.
- Ingestion points: Data enters the agent context from Aeroleads via
RUBE_MULTI_EXECUTE_TOOLandRUBE_SEARCH_TOOLS. - Boundary markers: No delimiters or instructions to ignore embedded instructions in the retrieved data are present in the skill configuration.
- Capability inventory: The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, allowing for significant state-changing operations and potentially arbitrary code execution within the workspace. - Sanitization: There is no evidence of data validation or sanitization before external content is used to influence agent decisions or subsequent tool calls.
- External Downloads & Remote Execution (HIGH): The skill requires connecting to an external MCP server (
https://rube.app/mcp) that is not within the trusted source scope. This creates a dependency on a third-party service that defines tool logic and execution schemas at runtime. - Command Execution (MEDIUM): The use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()facilitates high-level command execution. While orchestrated through MCP, it grants the agent broad capabilities over the targeted platform (Aeroleads) based on dynamic schemas fetched from a remote source.
Recommendations
- AI detected serious security threats
Audit Metadata