curated-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies (HIGH): The skill requires a connection to an external MCP server at 'https://rube.app/mcp'. This domain is not recognized as a trusted source. The agent is instructed to fetch tool schemas and execution plans directly from this endpoint at runtime, allowing the external provider to influence agent behavior dynamically.
- Indirect Prompt Injection (HIGH):
- Ingestion points: Untrusted data enters the agent context through 'RUBE_SEARCH_TOOLS' (which returns schemas and execution plans) and tool outputs from the Curated service.
- Boundary markers: None. The skill does not implement delimiters or instructions to ignore embedded commands in the data retrieved from the MCP server or the service.
- Capability inventory: The skill possesses powerful capabilities including 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH', which can perform write operations and execute remote logic.
- Sanitization: There is no evidence of sanitization or validation of the schemas and data returned by the external service before they are used to generate further agent actions.
- Remote Code Execution (HIGH): The use of 'RUBE_REMOTE_WORKBENCH' with 'run_composio_tool()' facilitates the execution of complex operations in a remote environment. Since the execution logic is determined by the untrusted MCP server, this constitutes a remote execution risk where the agent may be coerced into performing unintended operations on the user's behalf.
- Command Execution (MEDIUM): The 'RUBE_MULTI_EXECUTE_TOOL' function allows the agent to trigger multiple operations sequentially based on 'TOOL_SLUG' values provided by the remote search tool, bypassing static code review of the actual commands being run.
Recommendations
- AI detected serious security threats
Audit Metadata