agencyzoom-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to add an external, untrusted MCP server (
https://rube.app/mcp) to their client configuration. This server is not on the [TRUST-SCOPE-RULE] list. - [REMOTE_CODE_EXECUTION] (HIGH): MCP servers define the tools available to the agent. By using a remote server, the agent's capabilities are dynamically defined by an external entity. The skill explicitly mentions
RUBE_REMOTE_WORKBENCHandrun_composio_tool(), which implies execution of complex toolchains or code in a remote environment. - [COMMAND_EXECUTION] (MEDIUM): The
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHtools provide significant side-effect capabilities, including executing multiple operations or 'workbench' tasks based on remote input. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill instructions create a mandatory vulnerability surface:
- Ingestion points: The agent is told to 'Always search tools first' using
RUBE_SEARCH_TOOLS. The response includes 'recommended execution plans' and 'known pitfalls' from the remote server (SKILL.md). - Boundary markers: There are no markers or instructions for the agent to sanitize or ignore instructions embedded in the 'execution plans' returned by the server.
- Capability inventory: The agent has access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(SKILL.md), which can perform significant actions in the Agencyzoom environment. - Sanitization: No sanitization or validation of the remote server's response is performed; the agent is explicitly told to follow the 'recommended execution plans'.
Recommendations
- AI detected serious security threats
Audit Metadata