centralstationcrm-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process data from an external CRM (Centralstationcrm).
- Ingestion points: Untrusted data enters the agent context via CRM record lookups and tool outputs.
- Boundary markers: None are present; the instructions do not suggest using delimiters or 'ignore' instructions for external content.
- Capability inventory: High-privilege actions are available, including
RUBE_MULTI_EXECUTE_TOOL(for write operations) andRUBE_REMOTE_WORKBENCH(for remote code/tool execution). - Sanitization: No evidence of sanitization or schema validation for the data returned from the CRM.
- [External Downloads / Dependencies] (MEDIUM): The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp). This introduces a dependency on third-party infrastructure that manages the connection to the CRM toolkit. - [Command Execution] (MEDIUM): The use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()suggests the ability to execute complex, multi-step operations in a remote environment, which may include code execution or arbitrary tool sequences depending on the toolkit's underlying capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata