contentful-graphql-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): High risk of Indirect Prompt Injection (Category 8). The agent is instructed to fetch tool schemas and 'recommended execution plans' from an external source and follow them. * Ingestion points: Untrusted data enters the agent context via
RUBE_SEARCH_TOOLS(schemas/plans) and the results of Contentful GraphQL queries. * Boundary markers: Absent. The skill provides no delimiters or instructions to treat external data as untrusted. * Capability inventory: The skill usesRUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, granting the agent ability to execute complex actions and code based on external input. * Sanitization: Absent. There is no evidence of filtering or validation of the fetched data. - [External Downloads] (MEDIUM): The setup requires adding
https://rube.app/mcpas an MCP server. This domain is not a trusted source. Since the agent 'always' calls this server for tool schemas and plans, a compromise of the server allows for direct control over agent behavior. - [Remote Code Execution] (MEDIUM): The inclusion of
RUBE_REMOTE_WORKBENCHandrun_composio_tool()indicates a capability for remote code or logic execution. When combined with the dynamic discovery of tool schemas from an untrusted source, this poses a risk of unauthorized remote execution if the returned schemas contain malicious instructions.
Recommendations
- AI detected serious security threats
Audit Metadata