docsbot-ai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from an external source and use it to drive high-privilege tool execution.
- Ingestion points:
RUBE_SEARCH_TOOLSretrieves tool schemas, recommended execution plans, and "known pitfalls" fromhttps://rube.app/mcp. - Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between valid schemas and malicious instructions embedded in the server response.
- Capability inventory: The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto execute actions on the Docsbot AI platform via Composio. - Sanitization: There is no evidence of validation or sanitization of the remote data before it is interpolated into the agent's execution flow.
- [External Dependency & Supply Chain Risk] (HIGH): The skill mandates the use of
https://rube.app/mcp, which is not in the list of trusted external sources. The architectural pattern of "just add the endpoint and it works" without local configuration/secrets implies that the external server maintains significant control over the agent's operational logic. - [Dynamic Execution] (MEDIUM): The instructions explicitly forbid hardcoding tool definitions and force the agent to rely on runtime discovery. This prevents static auditing of the agent's actual capabilities and shifts the trust boundary entirely to the remote provider.
Recommendations
- AI detected serious security threats
Audit Metadata