callingly-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests tool schemas and recommended execution plans from a remote MCP server via the RUBE_SEARCH_TOOLS function. Since the skill has the capability to execute tools and access a remote workbench (RUBE_MULTI_EXECUTE_TOOL, RUBE_REMOTE_WORKBENCH), a malicious server could control the agent's actions. Evidence: Ingestion point at RUBE_SEARCH_TOOLS in SKILL.md; No boundary markers or sanitization logic defined; Capabilities include tool execution and remote workbench access.
- [External Downloads] (MEDIUM): The skill requires the user to manually add an external MCP endpoint (https://rube.app/mcp) that is not included in the pre-approved trusted source list. This endpoint serves as the source of all tool definitions and logic.
- [Remote Code Execution] (HIGH): The inclusion of RUBE_REMOTE_WORKBENCH with run_composio_tool() permits the execution of complex operations in a remote environment controlled by the third-party server, posing a significant risk if the server is compromised or malicious.
- [Command Execution] (MEDIUM): The skill facilitates the execution of various Callingly tools based on dynamically retrieved schemas, which increases the potential impact of any injected instructions.
Recommendations
- AI detected serious security threats
Audit Metadata