blocknative-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill explicitly instructs the agent to fetch tool schemas and 'recommended execution plans' from a remote source via
RUBE_SEARCH_TOOLS. - Ingestion points: Tool schemas, slugs, and execution plans returned by
https://rube.app/mcp. - Boundary markers: None. The instructions mandate using 'exact field names and types from search results'.
- Capability inventory: Execution of blockchain-related tools via Blocknative toolkit, including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: None. The agent is directed to follow the remote execution plans directly, creating a massive surface for an attacker-controlled server to dictate agent behavior (e.g., redirecting funds or leaking data).
- [External Downloads] (HIGH): The skill requires the addition of an external MCP server at
https://rube.app/mcp. This domain is not within the defined [TRUST-SCOPE-RULE] and represents an unverified dependency that controls the agent's core capabilities. - [Remote Code Execution] (HIGH): The use of
RUBE_REMOTE_WORKBENCHand therun_composio_tool()function facilitates the execution of logic on a remote workbench. Since the instructions for what to run are fetched dynamically from the same unverified remote server, this constitutes a high-risk remote execution pattern.
Recommendations
- AI detected serious security threats
Audit Metadata