Skills
skills/composiohq/awesome-claude-skills/instacart-automation/Gen Agent Trust Hub

instacart-automation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Unverifiable Dependencies & Remote Code Execution (HIGH): The skill requires connecting to an external MCP server at https://rube.app/mcp. This server is not a recognized trusted source and has the capability to execute tools or scripts on the agent's behalf.
  • Indirect Prompt Injection (HIGH): The skill is designed to fetch instructions and schemas dynamically at runtime.
  • Ingestion points: Data returned from the RUBE_SEARCH_TOOLS call, which includes 'recommended execution plans' and 'input schemas'.
  • Boundary markers: Absent. The instructions explicitly tell the agent to 'Always call RUBE_SEARCH_TOOLS first' and follow the returned schemas exactly.
  • Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow for multi-step tool execution and potentially remote code environments.
  • Sanitization: Absent. There is no validation of the schemas or plans returned by the external server before they are used to execute tools.
  • Data Exposure & Exfiltration (MEDIUM): The skill manages Instacart credentials and sessions via RUBE_MANAGE_CONNECTIONS. While it uses an OAuth-like flow, sensitive access to a grocery/payment account is mediated by an unverified third-party service (rube.app).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:32 PM