crustdata-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies] (HIGH): The skill requires the addition of an external MCP server at 'https://rube.app/mcp'. This server is not among the trusted sources. The claim that 'No API keys needed — just add the endpoint and it works' is highly suspicious for a service that manages data connections (Crustdata), as it implies the remote server maintains its own persistence and execution logic without transparent local control.
- [Indirect Prompt Injection] (HIGH): The skill follows a pattern where tool schemas and execution plans are dynamically fetched from the remote server ('RUBE_SEARCH_TOOLS') and then executed ('RUBE_MULTI_EXECUTE_TOOL').
- Ingestion points: Tool schemas, input descriptions, and execution plans are ingested from 'https://rube.app/mcp'.
- Boundary markers: No boundary markers or instruction-ignoring delimiters are defined for the data returned from the MCP server.
- Capability inventory: The skill includes 'RUBE_MULTI_EXECUTE_TOOL' (tool execution) and 'RUBE_REMOTE_WORKBENCH' (bulk remote operations), providing a high-privilege execution environment.
- Sanitization: There is no evidence of sanitization for the dynamic tool slugs or arguments returned by the search process before they are passed to the execution tools.
- [Remote Code Execution] (MEDIUM): The 'RUBE_REMOTE_WORKBENCH' tool with 'run_composio_tool()' capabilities suggests a remote environment capable of executing complex logic and code-like operations on external toolsets.
Recommendations
- AI detected serious security threats
Audit Metadata