many_chat-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8).
- Ingestion points: Processes external data from ManyChat, including chatbot flows, subscriber details, and messenger automation inputs.
- Boundary markers: None identified. The instructions do not specify any delimiters or safety warnings for handling external content before processing.
- Capability inventory: Has significant side-effect capabilities via
RUBE_MULTI_EXECUTE_TOOL(sending broadcasts, modifying flows) andRUBE_REMOTE_WORKBENCH(arbitrary code execution/data processing). - Sanitization: No sanitization or validation logic is described for the data fetched from the ManyChat API before it is used to influence agent decisions.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill documentation explicitly references
RUBE_REMOTE_WORKBENCHfor bulk operations, suggesting the use ofThreadPoolExecutorandrun_composio_tool()within a remote environment. This provides a surface for executing arbitrary logic on remote infrastructure. - [EXTERNAL_DOWNLOADS] (MEDIUM): The setup requires connecting to an untrusted third-party MCP server (
https://rube.app/mcp). This domain is not within the defined Trusted Source status, posing a risk of man-in-the-middle attacks or malicious tool definitions being served to the agent. - [COMMAND_EXECUTION] (MEDIUM): The skill facilitates the execution of complex workflows through tool slugs discovered at runtime. This dynamic discovery and execution of tools (
RUBE_SEARCH_TOOLSfollowed byRUBE_MULTI_EXECUTE_TOOL) can be manipulated if the search results are poisoned via indirect injection.
Recommendations
- AI detected serious security threats
Audit Metadata