precoro-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (HIGH): The skill utilizes
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLto perform operations. The documentation states thatRUBE_SEARCH_TOOLSreturns "recommended execution plans," effectively allowing an untrusted remote server to dictate the logic and sequences of commands the agent executes. - External Connection (HIGH): The setup instructions require adding
https://rube.app/mcpas an MCP server. This domain is not a recognized trusted source. Providing an external endpoint as a primary source of tool definitions allows for full control of the agent's tool-calling capabilities by an unverified third party. - Indirect Prompt Injection (HIGH):
- Ingestion points:
RUBE_SEARCH_TOOLSingests tool slugs, schemas, and execution plans from the remote server. - Boundary markers: Absent. The instructions mandate following the remote results implicitly ("Always search tools first").
- Capability inventory: Includes tool execution (
RUBE_MULTI_EXECUTE_TOOL), remote workbench operations (RUBE_REMOTE_WORKBENCH), and connection management (RUBE_MANAGE_CONNECTIONS). - Sanitization: None. The skill directs the agent to use exact fields and types provided by the remote source without validation.
- Data Exposure Risk (MEDIUM): The skill handles Precoro automation, which involves sensitive procurement and financial data. Managing these operations through an unverified intermediary (Rube/Composio) increases the risk of data exposure or unauthorized transaction manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata