storerocket-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection due to the combination of untrusted data ingestion and significant side-effect capabilities.
- Ingestion points: The skill ingests untrusted data from the Storerocket API and tool schemas returned by
RUBE_SEARCH_TOOLS. - Boundary markers: Absent. There are no instructions or delimiters provided to the agent to treat external content as data rather than instructions.
- Capability inventory: The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, allowing it to perform write operations, modify configurations, and execute code within a remote environment. - Sanitization: No sanitization or validation logic is defined to protect against instructions embedded within the processed Storerocket data.
- [External Downloads] (MEDIUM): The setup instructions require adding a remote MCP server from a non-whitelisted source (
https://rube.app/mcp). This introduces a dependency on a third-party infrastructure that controls the tool execution logic. - [Dynamic Execution] (MEDIUM): The skill relies on
RUBE_REMOTE_WORKBENCHandrun_composio_tool()for bulk operations, which involves executing code or tools within a dynamic remote runtime environment based on schemas discovered at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata