emailable-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core workflow depends on fetching tool schemas and execution plans from an external source (
RUBE_SEARCH_TOOLS). This creates a vulnerability where a compromised or malicious remote server can inject instructions into the agent's workflow by returning poisoned tool definitions. - Ingestion points:
RUBE_SEARCH_TOOLSresponse,RUBE_GET_TOOL_SCHEMASresponse, and data from theemailableservice itself. - Boundary markers: Absent. No instructions are provided to the agent to disregard instructions contained within the fetched tool schemas or external data.
- Capability inventory: High. The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHwhich allow for arbitrary tool execution and remote operations. - Sanitization: Absent. There is no evidence of validation or filtering of the content returned by the external service.
- [Remote Code Execution / External Downloads] (HIGH): The setup instructions require adding
https://rube.app/mcpas an MCP server. This grants a remote, non-trusted third-party endpoint the ability to define and execute tools within the user's agent environment. TheRUBE_REMOTE_WORKBENCHtool explicitly enables remote execution of Composio tools. - [Command Execution] (MEDIUM): The skill facilitates the execution of various tools via the Rube MCP. While these are presented as discrete tools, they effectively allow the agent to perform operations with side effects on external platforms based on instructions received from a remote server.
- [Metadata Poisoning] (LOW): The description encourages users to add a specific remote endpoint (
rube.app) which bypasses standard security review processes for local code.
Recommendations
- AI detected serious security threats
Audit Metadata