Attio Automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill requires connecting to an external Model Context Protocol (MCP) server at
https://rube.app/mcp. This endpoint acts as a remote execution environment for the skill's logic. Although associated with the Composio platform, this domain is not within the explicitly defined trusted source list, requiring users to trust a third-party infrastructure for CRM data processing. - PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its data ingestion capabilities.
- Ingestion points: Tools such as
ATTIO_SEARCH_RECORDS,ATTIO_LIST_NOTES, andATTIO_QUERY_RECORDSingest untrusted content from the Attio CRM workspace (e.g., contact notes, company descriptions, or deal names). - Boundary markers: Absent. The skill does not define delimiters or instructions to treat CRM data as untrusted content.
- Capability inventory: The skill possesses extensive read capabilities and transmits data to an external network endpoint (the MCP server). Malicious instructions embedded in CRM records could influence the agent's behavior or lead to data leakage in subsequent steps.
- Sanitization: No evidence of sanitization or filtering is present to strip potential instructions from ingested CRM strings.
- DATA_EXFILTRATION (LOW): The skill is designed to access and transmit sensitive CRM data (people, companies, and financial deals) to the external
rube.appendpoint. While this is the intended purpose of the integration, it constitutes an inherent data exposure risk to a third-party service.
Audit Metadata