helloleads-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill directs the user to connect an external, unverified MCP server endpoint (
https://rube.app/mcp). - Evidence: The "Setup" section instructs users to add this URL to their MCP client configuration. Because the server is not a trusted source, it could serve malicious tool schemas that lead to arbitrary code execution when the agent calls
RUBE_MULTI_EXECUTE_TOOLorRUBE_REMOTE_WORKBENCH. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The agent ingests untrusted data from Helloleads (leads, customer notes, etc.) and tool schemas from the Rube MCP server.
- Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores embedded instructions within the CRM data.
- Capability inventory: The skill provides powerful execution capabilities including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(withrun_composio_tool()). - Sanitization: Absent. There is no mention of filtering or sanitizing lead data before the agent processes it.
- [DATA_EXFILTRATION] (MEDIUM): Sensitive CRM data exposure risk via third-party routing.
- Evidence: All Helloleads operations are proxied through the
rube.appinfrastructure. Although the skill claims no API keys are needed, the intermediary server necessarily handles the data flow, creating an exfiltration risk for sensitive business lead information.
Recommendations
- AI detected serious security threats
Audit Metadata