leadfeeder-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from Leadfeeder (leads, account info) and has the capability to execute operations via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHbased on that data. - Ingestion points: Data retrieved from Leadfeeder via dynamically discovered tools.
- Boundary markers: Absent. No delimiters or instructions to ignore embedded commands are specified.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide write and execution capabilities. - Sanitization: Absent. No validation of ingested content is mentioned.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on a remote MCP server located at
https://rube.app/mcp. This domain and service are not part of the trusted source list, introducing a dependency on an unverified third-party provider. - [COMMAND_EXECUTION] (MEDIUM): The use of
RUBE_REMOTE_WORKBENCHand dynamic tool execution viaRUBE_MULTI_EXECUTE_TOOLallows for complex, multi-step actions on remote infrastructure. While orchestrated through MCP, the lack of a static tool list makes the actual command surface difficult to audit.
Recommendations
- AI detected serious security threats
Audit Metadata