loyverse-automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs the agent to connect to an external, third-party MCP server at
https://rube.app/mcp. This domain is not within the defined list of trusted organizations, posing a risk of unverifiable logic or dependency updates. - [REMOTE_CODE_EXECUTION] (MEDIUM): The use of
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHenables the execution of remote tools and code snippets via the Composio ecosystem. This allows the agent to perform complex actions on remote infrastructure based on instructions received from the external server. - [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its interaction with external business data.
- Ingestion points: Data retrieved from the Loyverse API, such as customer notes, product descriptions, or order metadata.
- Boundary markers: The instructions lack delimiters or constraints to prevent the agent from obeying instructions embedded within the POS data.
- Capability inventory: The skill has high-privilege write/execute capabilities via
RUBE_MULTI_EXECUTE_TOOL, which could be abused to modify inventory, change prices, or alter transactions. - Sanitization: There is no mention of sanitizing or escaping the data fetched from Loyverse before it is used in tool arguments.
- [DATA_EXFILTRATION] (LOW): Sensitive business data (sales, inventory, and customer info) is inherently transmitted to
rube.appandcomposio.dev. While functional, this represents the transfer of private data to third-party services not explicitly audited for this environment.
Audit Metadata