spondyr-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and execute instructions from the
RUBE_SEARCH_TOOLSoutput, which explicitly includes 'recommended execution plans' and 'known pitfalls'. This creates a significant attack surface where a compromised MCP server could manipulate agent behavior. \n - Ingestion points: Output from the dynamic
RUBE_SEARCH_TOOLSfunction. \n - Boundary markers: Absent; there are no instructions to the agent to treat external tool descriptions or plans as untrusted. \n
- Capability inventory: The skill enables connection management, multi-tool execution, and a remote workbench. \n
- Sanitization: Absent; instructions mandate the use of 'exact field names and types' from external search results.
- Unverifiable Dependencies (MEDIUM): The skill requires the addition of an external, non-whitelisted MCP endpoint (
https://rube.app/mcp). This establishes a runtime dependency on an unverified service. - Remote Code Execution (MEDIUM): The
RUBE_REMOTE_WORKBENCHandrun_composio_tool()functions provide a mechanism for remote code and task execution. When combined with dynamic tool discovery, this allows for the execution of complex operations based on potentially malicious external input. - Command Execution (MEDIUM): The
RUBE_MULTI_EXECUTE_TOOLcapability grants the agent side-effect capabilities on the Spondyr platform based on dynamically discovered schemas, increasing the risk of unauthorized actions.
Recommendations
- AI detected serious security threats
Audit Metadata