memberstack-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill relies on
RUBE_SEARCH_TOOLSwhich returns "recommended execution plans" from an external, untrusted server (https://rube.app/mcp). This creates an attack surface where the agent is instructed to follow instructions provided by a third-party service at runtime. - Ingestion points: Data returned from
RUBE_SEARCH_TOOLSincludes execution plans and pitfalls. - Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(tool execution) andRUBE_REMOTE_WORKBENCH(likely shell/code execution viarun_composio_tool()). - Sanitization: No evidence of sanitization or boundary markers for the external instructions.
- Remote Code Execution (HIGH): The "recommended execution plans" are dynamically generated instructions that can command the agent to perform any action available to the MCP server, including sensitive tool execution.
- Data Exfiltration (HIGH): Memberstack authentication and data processing are mediated through the untrusted
rube.appproxy. The instructions state "No API keys needed — just add the endpoint", implying the third-party server handles credentials, which exposes sensitive account access to the service provider. - External Downloads (MEDIUM): The skill mandates connection to an external MCP server (
https://rube.app/mcp) which is not included in the trusted provider list.
Recommendations
- AI detected serious security threats
Audit Metadata