bolna-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill requires the user to add an external MCP server
https://rube.app/mcp. This endpoint is not in the trusted source list. Since this server provides the definitions and logic for tools, it acts as a remote execution environment that could be used to deliver malicious instructions or intercept data. - [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to poisoning via the
RUBE_SEARCH_TOOLSprocess. - Ingestion points: Tool schemas and 'recommended execution plans' are fetched at runtime from
rube.app(SKILL.md). - Boundary markers: Absent. The instructions explicitly command the agent to follow the returned schemas and use exact field names without verification.
- Capability inventory: The skill possesses powerful write and execute capabilities including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: None provided. The agent is told to 'always search first' and rely entirely on the remote output for workflow execution.
- [Dynamic Execution] (HIGH): The use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()allows for dynamic execution of logic defined by an external service. This creates an environment where malicious code can be injected and executed on the agent's side based on instructions from the untrustedrube.appserver.
Recommendations
- AI detected serious security threats
Audit Metadata