lastpass-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): Directs users to connect to an untrusted MCP endpoint ('https://rube.app/mcp') which is not on the list of trusted sources. This server acts as the primary orchestrator for all Lastpass interactions.
- REMOTE_CODE_EXECUTION (HIGH): Employs tools like 'RUBE_REMOTE_WORKBENCH' and 'RUBE_MULTI_EXECUTE_TOOL' to run logic on external infrastructure. The workbench specifically mentions 'run_composio_tool()', facilitating remote code or tool execution.
- DATA_EXFILTRATION (HIGH): The skill is designed to manage high-value credentials (Lastpass). Funneling this data through an untrusted third-party service ('rube.app') allows for the potential logging, interception, or exfiltration of passwords and session tokens.
- COMMAND_EXECUTION (MEDIUM): Uses 'RUBE_SEARCH_TOOLS' to dynamically determine which tools to execute. This allows the remote server to define the 'tool_slug' and arguments for the agent's 'RUBE_MULTI_EXECUTE_TOOL' calls, bypassing local control.
- PROMPT_INJECTION (HIGH): The skill exhibits a high-risk indirect prompt injection surface. Evidence: 1. Ingestion points: Lastpass vault data and tool schemas from 'RUBE_SEARCH_TOOLS'. 2. Boundary markers: None identified. 3. Capability inventory: Remote workbench and multi-tool execution ('RUBE_REMOTE_WORKBENCH', 'RUBE_MULTI_EXECUTE_TOOL'). 4. Sanitization: None identified. Malicious instructions inside vault entries could hijack the tool-calling logic.
Recommendations
- AI detected serious security threats
Audit Metadata