seat-geek-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires connecting to an external, unverifiable MCP server (https://rube.app/mcp) which provides the primary logic and tool definitions.
- [REMOTE_CODE_EXECUTION] (HIGH): The tool RUBE_REMOTE_WORKBENCH uses run_composio_tool(), enabling potentially arbitrary logic execution on a remote environment.
- [COMMAND_EXECUTION] (HIGH): Side-effect operations on Seat Geek are performed via RUBE_MULTI_EXECUTE_TOOL based on schemas discovered at runtime.
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection via the RUBE_SEARCH_TOOLS ingestion point. 1. Ingestion points: Tool schemas and 'recommended execution plans' are fetched from the external Rube server. 2. Boundary markers: Absent; the agent is instructed to use the external plans directly. 3. Capability inventory: Includes account-modifying Seat Geek tools and a remote workbench. 4. Sanitization: None; the skill lacks validation of the externally provided plans before execution.
Recommendations
- AI detected serious security threats
Audit Metadata