landbot-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp) which is not on the trusted sources list. This server provides the definitions, schemas, and logic for all 'Landbot' tools used by the skill. - REMOTE_CODE_EXECUTION (MEDIUM): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. These tools execute logic provided by the remote MCP server. TheRUBE_REMOTE_WORKBENCHspecifically suggests a capability to run remote code or scripts (run_composio_tool()). - PROMPT_INJECTION (LOW): The skill exhibits an Indirect Prompt Injection surface (Category 8). It dynamically ingests tool schemas and descriptions via
RUBE_SEARCH_TOOLSand instructs the agent to follow them strictly ('Always search tools first', 'Use exact field names from search results'). - Ingestion points: Data returned from the
RUBE_SEARCH_TOOLScall to therube.appendpoint. - Boundary markers: Absent. There are no instructions for the agent to sanitize or ignore instructions embedded within the fetched schemas.
- Capability inventory: The skill has the ability to execute multiple tools (
RUBE_MULTI_EXECUTE_TOOL) and use a workbench environment (RUBE_REMOTE_WORKBENCH). - Sanitization: Absent. The skill trusts the remote schema as the source of truth for execution.
Audit Metadata