mails-so-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the agent to connect to an external MCP endpoint
https://rube.app/mcp. This source is not on the trusted repository or organization list, meaning the tools and schemas provided are controlled by an unverified third party. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHfor operation. This effectively allows a remote server to define and execute logic on the agent's behalf, which can be risky if the third-party service is compromised or malicious. - [DATA_EXFILTRATION] (LOW): By design, the skill processes email data through the Rube MCP infrastructure. Users should be aware that sensitive email content will be transmitted to and processed by the
rube.appservices. - [PROMPT_INJECTION] (LOW): As a Category 8 (Indirect Prompt Injection) finding, the skill processes untrusted data (emails from Mails So). There is a risk that malicious emails could contain instructions designed to manipulate the agent's behavior via the available Rube tools.
- Ingestion points: Email content fetched via
mails_sotoolkit tools (referenced in SKILL.md). - Boundary markers: None specified in the instructions to help the agent distinguish between system instructions and email content.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL,RUBE_REMOTE_WORKBENCH, andRUBE_MANAGE_CONNECTIONS(SKILL.md). - Sanitization: No mention of sanitization or filtering for the processed email data.
Audit Metadata