open-sea-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies] (HIGH): The skill instructs the user to register an external MCP server at
https://rube.app/mcp. This domain is not a recognized trusted source. Because MCP servers provide the tool definitions that the agent executes, the remote server has full control over the 'capabilities' it offers the agent. - [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and obey instructions/schemas from the remote server at runtime.
- Ingestion points: Tool slugs, input schemas, and execution plans are fetched via
RUBE_SEARCH_TOOLSfrom the remote endpoint. - Boundary markers: None. The agent is instructed to 'Always search first' and 'Use exact field names' from the remote response, effectively delegating its control logic to the external source.
- Capability inventory: The skill possesses powerful capabilities including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHwhich can perform financial transactions on Open Sea. - Sanitization: None. The skill lacks any verification of the integrity or safety of the schemas returned by the untrusted remote server.
- [Command Execution] (MEDIUM): The use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool()indicates a capability for remote logic execution. This increases the risk profile as it allows the external server to execute complex operations within the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata