chatbotkit-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires connecting to an external MCP server (https://rube.app/mcp) that is not part of the trusted source whitelist.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL, which facilitate remote execution of tools and potentially code through the Composio ecosystem.
- [PROMPT_INJECTION] (HIGH): This skill exhibits a significant indirect prompt injection surface. Ingestion points: Dynamically retrieves tool schemas, recommended execution plans, and input requirements from the RUBE_SEARCH_TOOLS endpoint at runtime in SKILL.md. Boundary markers: None present; the agent is explicitly instructed to follow the returned execution plans and schemas without validation. Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, providing high-privilege access to external tools and environments. Sanitization: No sanitization or validation logic is specified for data returned from the external API.
- [COMMAND_EXECUTION] (MEDIUM): Dynamic execution of tool slugs (TOOL_SLUG_FROM_SEARCH) returned from an external API source is encouraged, which can be manipulated if the upstream API is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata