userlist-automation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill instructs the user to add a remote MCP server endpoint (
https://rube.app/mcp). While this is a standard configuration for the Model Context Protocol, it introduces a dependency on a third-party server that is not part of the pre-defined trusted organizations. - REMOTE_CODE_EXECUTION (LOW): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations on the Composio/Userlist platform. This involves executing logic on a remote workbench environment. - DATA_EXFILTRATION (LOW): The skill's primary purpose is to process data from 'Userlist', which likely contains PII or sensitive customer data. Because this data is processed via a remote toolkit, there is an inherent risk of data exposure to the tool provider.
- PROMPT_INJECTION (LOW): Category 8 (Indirect Prompt Injection). The skill is vulnerable to indirect injection because it dynamically fetches tool schemas and execution plans via
RUBE_SEARCH_TOOLSfrom a remote server. - Ingestion points: Tool schemas and input definitions returned by
RUBE_SEARCH_TOOLS(referenced in SKILL.md). - Boundary markers: Absent; the agent is instructed to use the exact field names and types from the search results without specific sanitization instructions.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHallow the agent to perform actions based on the ingested schemas. - Sanitization: Not present in the skill instructions.
Audit Metadata