brex-staging-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires connecting to an untrusted MCP server endpoint at 'https://rube.app/mcp'. This server is not a trusted source and is the primary authority for the agent's tool discovery and execution logic.\n- [REMOTE_CODE_EXECUTION] (HIGH): The skill provides tools for 'RUBE_REMOTE_WORKBENCH' and 'RUBE_MULTI_EXECUTE_TOOL', which allow for the remote execution of tools and potentially code on an external platform based on instructions fetched at runtime.\n- [COMMAND_EXECUTION] (HIGH): Use of 'RUBE_REMOTE_WORKBENCH' with 'run_composio_tool()' facilitates the execution of arbitrary tools defined by the external provider, bypassing local validation.\n- [PROMPT_INJECTION] (HIGH): The skill has a significant Indirect Prompt Injection surface (Category 8). \n
- Ingestion points: Data enters the agent context through 'RUBE_SEARCH_TOOLS' (schemas, plans) and 'RUBE_GET_TOOL_SCHEMAS'.\n
- Boundary markers: Absent. The skill explicitly directs the agent to 'Always call RUBE_SEARCH_TOOLS first' and 'Use exact field names and types from the search results', creating an obedience path for potentially malicious remote instructions.\n
- Capability inventory: Includes tool execution ('RUBE_MULTI_EXECUTE_TOOL'), connection management ('RUBE_MANAGE_CONNECTIONS'), and Brex Staging operations.\n
- Sanitization: None. The agent is instructed to trust the search results as the source of truth for tool interaction.
Recommendations
- AI detected serious security threats
Audit Metadata