retailed-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The setup instructions require the user to add
https://rube.app/mcpas an MCP server. This source is not on the list of trusted repositories or organizations. Since this server provides the definitions for all tools and execution plans, it represents a significant third-party dependency with high control over agent behavior. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points:
RUBE_SEARCH_TOOLSretrieves tool slugs, input schemas, 'recommended execution plans', and 'known pitfalls' from an external server. - Boundary markers: None. The agent is instructed to 'Always search first' and 'Use exact field names and types from search results', effectively treating remote data as authoritative instructions.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide the ability to execute operations based on this untrusted data. - Sanitization: None provided. The agent is explicitly told to follow the 'recommended execution plans' returned by the search tool.
- [REMOTE_CODE_EXECUTION] (HIGH): The combination of dynamic tool discovery from an untrusted source and the
RUBE_MULTI_EXECUTE_TOOLcapability allows the remote server to dictate which tools the agent runs and what arguments it uses. This effectively grants the remote server the ability to execute code/actions via the Retailed toolkit. - [COMMAND_EXECUTION] (MEDIUM): The reference to
RUBE_REMOTE_WORKBENCHandrun_composio_tool()indicates a capability to perform complex, potentially sensitive operations in a remote environment, which increases the impact of any successful injection or malicious instruction from the MCP server.
Recommendations
- AI detected serious security threats
Audit Metadata