Skills
skills/composiohq/awesome-claude-skills/securitytrails-automation/Gen Agent Trust Hub

securitytrails-automation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is designed to process external, untrusted data from SecurityTrails (such as DNS records, WHOIS data, and subdomain listings). This data can be manipulated by attackers to include malicious instructions.
  • Ingestion points: External data fetched via SecurityTrails tool calls in SKILL.md.
  • Boundary markers: Absent; there are no instructions to the agent to treat SecurityTrails output as untrusted data or to use delimiters.
  • Capability inventory: The skill uses RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, which allow the agent to execute a wide variety of tools and operations based on processed data.
  • Sanitization: Absent; the skill relies on raw tool outputs to determine subsequent TOOL_SLUG and arguments in Step 3 of the workflow.
  • External Downloads & Untrusted Sources (MEDIUM): The setup instructions require the user to add https://rube.app/mcp as an MCP server. This domain is not part of the [TRUST-SCOPE-RULE] whitelist. While it claims to be powered by Composio, the endpoint itself is an unverified third-party service providing executable tool definitions to the agent.
  • Remote Code Execution (HIGH): The workflow encourages a pattern where tool schemas and execution plans are dynamically retrieved via RUBE_SEARCH_TOOLS and then executed via RUBE_MULTI_EXECUTE_TOOL. If the external MCP server or the data source (SecurityTrails) is compromised, it can lead to the execution of arbitrary tools with attacker-controlled arguments.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:57 PM