salesforce-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to configure an external MCP server at
https://rube.app/mcp. This domain is not among the trusted providers, representing a dependency on an unverifiable remote source that controls the available tools. - [DATA_EXFILTRATION] (LOW): The skill communicates with
rube.app, which is not a whitelisted domain. All CRM data processed by this skill passes through this third-party proxy, which is a necessary but noteworthy data flow. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface (Category 8):
- Ingestion points: Untrusted data enters the agent's context through Salesforce tool outputs such as
SALESFORCE_LIST_LEADS,SALESFORCE_SEARCH_CONTACTS, and customSALESFORCE_RUN_SOQL_QUERYresults. - Boundary markers: There are no boundary markers or instructions to the agent to disregard instructions embedded within the CRM data.
- Capability inventory: While the skill lacks local system access (shell/filesystem), it can modify remote CRM state via tools like
SALESFORCE_UPDATE_LEADandSALESFORCE_UPDATE_TASK, which could be used to propagate malicious payloads. - Sanitization: No sanitization, escaping, or validation of data retrieved from Salesforce is performed before it is presented to the LLM.
Audit Metadata