sensibo-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires adding an external, unverified MCP server (
https://rube.app/mcp). This server is not within the trusted provider scope and acts as the gatekeeper for all executable tools in this skill. - [REMOTE_CODE_EXECUTION] (HIGH): The workflow pattern relies on
RUBE_SEARCH_TOOLSto fetch execution plans and input schemas dynamically. Since these plans are executed viaRUBE_MULTI_EXECUTE_TOOL, a malicious response from the remote server could lead to arbitrary tool execution or unauthorized actions on connected Sensibo accounts. - [COMMAND_EXECUTION] (HIGH): The
RUBE_REMOTE_WORKBENCHcapability allows for bulk operations and tool execution (run_composio_tool()). This provides an attacker-controlled service with the ability to trigger high-privilege side effects if the service is compromised. - [INDIRECT_PROMPT_INJECTION] (HIGH): Evidence Chain:
- Ingestion points: Tool schemas and execution plans are ingested from the
rube.appendpoint viaRUBE_SEARCH_TOOLS. - Boundary markers: None. The skill instructs the agent to "Always search tools first" and use the exact schemas returned without verification.
- Capability inventory: Includes
RUBE_MULTI_EXECUTE_TOOL(device control) andRUBE_REMOTE_WORKBENCH(bulk tool execution). - Sanitization: None. The skill explicitly warns against hardcoding or validating tool slugs locally, making it entirely dependent on the untrusted remote input.
Recommendations
- AI detected serious security threats
Audit Metadata