auth0-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill instructs users to add an external, untrusted MCP server (
https://rube.app/mcp). This domain is not in the trusted source list. An MCP server provides the logic and tool definitions the agent follows; connecting to an untrusted server is equivalent to installing and executing unverified remote code. - Indirect Prompt Injection (HIGH): The skill relies on
RUBE_SEARCH_TOOLSto fetch schemas and execution plans from an external source. Because these instructions influence high-privilege actions (Auth0 user and connection management) and there are no documented boundary markers or sanitization processes, the agent is vulnerable to instructions embedded in the tool metadata. - Ingestion points: Tool schemas, input field names, and execution plans fetched from the remote
rube.appendpoint viaRUBE_SEARCH_TOOLS. - Boundary markers: Absent; the skill suggests using discovered fields directly without validation.
- Capability inventory: Auth0 write/management operations via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(which supportsrun_composio_tool()). - Sanitization: Absent; the skill emphasizes using exact field names and types provided by the search results.
- Command Execution (MEDIUM): The use of
RUBE_REMOTE_WORKBENCHimplies a remote execution environment. Given the untrusted nature of the service provider, this tool could be leveraged to execute unauthorized operations within the connected Auth0 tenant.
Recommendations
- AI detected serious security threats
Audit Metadata