Skills
skills/composiohq/awesome-claude-skills/bitquery-automation/Gen Agent Trust Hub

bitquery-automation

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to tool output poisoning (Category 8) because it instructs the agent to dynamically fetch and follow 'recommended execution plans' and schemas from a remote source.
  • Ingestion points: Data returned from RUBE_SEARCH_TOOLS via the https://rube.app/mcp endpoint.
  • Boundary markers: None. No instructions are provided to the agent to treat external tool definitions as untrusted or to ignore embedded natural language instructions.
  • Capability inventory: The skill provides full execution capabilities via RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH (which allows running arbitrary code via run_composio_tool()).
  • Sanitization: None. The agent is explicitly told to 'Always search tools first' and follow the 'exact field names and types from the search results'.
  • [External Resource Dependence] (MEDIUM): The skill requires the user to add an untrusted MCP server (https://rube.app/mcp).
  • Evidence: Setup section directs users to add the endpoint to their client configuration. This domain is not within the trusted scope rules.
  • [Dynamic Execution] (MEDIUM): The skill uses runtime-generated data to determine which tools to execute and what arguments to pass.
  • Evidence: RUBE_MULTI_EXECUTE_TOOL uses TOOL_SLUG_FROM_SEARCH and dynamic arguments fetched from the remote search results.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 08:00 AM