coda-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp). This server is hosted by a third party (Composio/Rube) and is not on the predefined list of trusted sources. The agent's core functionality depends on this remote service. - PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8). An attacker could place malicious instructions inside a Coda document that the agent reads, potentially triggering unauthorized actions.
- Ingestion points: The agent reads untrusted data from documents via
CODA_LIST_TABLE_ROWS,CODA_SEARCH_ROW, andCODA_GET_A_ROWinSKILL.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are defined in the tool sequence or workflows.
- Capability inventory: The skill has significant write and administrative capabilities, including
CODA_ADD_PERMISSION(modifying access control),CODA_PUBLISH_DOC(making private documents public), andCODA_UPSERT_ROWS(modifying document content). - Sanitization: There is no evidence of output sanitization or validation of the data retrieved from Coda before the agent processes it.
- DATA_EXFILTRATION (SAFE): While the skill manages sensitive data, it does so through standard API wrappers. There are no patterns suggesting data is being sent to unauthorized external domains, provided the MCP server itself is trusted by the user.
Audit Metadata