quaderno-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill requires connecting to
https://rube.app/mcp. This domain is not within the Trusted External Sources, and connecting the agent to an unverified third-party MCP endpoint grants that endpoint significant influence over agent behavior. - REMOTE_CODE_EXECUTION (HIGH): Tools such as
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(specificallyrun_composio_tool()) enable the execution of remote logic. This effectively allows an external provider to run code or perform operations in the user's environment or connected accounts. - Indirect Prompt Injection (HIGH): The skill is highly vulnerable to poisoning via external content.
- Ingestion points:
RUBE_SEARCH_TOOLSreturns tool slugs, schemas, and 'recommended execution plans' from a remote server. - Boundary markers: None are implemented; the skill instructs the agent to 'Always search tools first' and follow the returned metadata.
- Capability inventory: The skill possesses extensive write/execute capabilities via the Quaderno toolkit (e.g., managing invoices, payments, or customer data).
- Sanitization: No sanitization is present. If the remote server returns a malicious 'execution plan,' the agent is likely to obey it, leading to unauthorized data modification or account takeover.
Recommendations
- AI detected serious security threats
Audit Metadata