Skills
skills/composiohq/awesome-claude-skills/sympla-automation/Gen Agent Trust Hub

sympla-automation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is designed to ingest data (tool schemas, input requirements, and "recommended execution plans") from an external, unverified source (rube.app) via the RUBE_SEARCH_TOOLS command.
  • Ingestion Point: Data returned from the RUBE_SEARCH_TOOLS endpoint.
  • Boundary Markers: None. The instructions explicitly tell the agent to follow the returned execution plans.
  • Capability Inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, which allow the agent to perform write operations and bulk tasks on the Sympla platform.
  • Sanitization: No sanitization or validation of the remote schemas or plans is mentioned.
  • External Service Dependency (MEDIUM): The skill requires connecting to an external MCP endpoint (https://rube.app/mcp) that is not part of the defined trusted source scope. This endpoint serves as the control plane for the skill's capabilities.
  • Dynamic Tool Execution (MEDIUM): The workflow relies on tool_slug values and arguments discovered at runtime. This dynamic loading from computed paths (slugs) allows the remote server to dictate which functions the agent calls and with what data.
  • Potential for Unconstrained Execution (MEDIUM): The use of RUBE_REMOTE_WORKBENCH with run_composio_tool() suggests a high-privilege environment that could be exploited if the agent is misled by malicious tool schemas returned during the discovery phase.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:48 PM