mailbluster-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it mandates that the agent fetch and follow instructions from an untrusted external source.
- Ingestion points: The results from
RUBE_SEARCH_TOOLS, which include 'recommended execution plans' and 'known pitfalls' provided by the external MCP server. - Boundary markers: Absent. There are no instructions for the agent to distinguish between valid schema data and potentially malicious natural language instructions embedded in the tool descriptions or plans.
- Capability inventory: The agent possesses powerful capabilities including
RUBE_MULTI_EXECUTE_TOOL(executing operations on Mailbluster) andRUBE_REMOTE_WORKBENCH(running arbitrary tool logic). - Sanitization: Absent. The skill explicitly tells the agent to 'Always search tools first' and follow the returned execution plans, creating a direct path for an attacker-controlled response to hijack the agent's workflow.
- Remote Code Execution (HIGH): Use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()facilitates the execution of logic hosted and managed on a remote environment controlled by an untrusted third party. - External Downloads (MEDIUM): The setup guide requires users to connect to a third-party MCP endpoint (
https://rube.app/mcp) which is not within the defined list of trusted sources. This endpoint controls the tool schemas and instructions the agent receives. - Command Execution (MEDIUM): The skill facilitates the execution of a suite of tools via
RUBE_MULTI_EXECUTE_TOOLbased on dynamic, externally-provided inputs, increasing the risk of unauthorized actions if the tool discovery process is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata