Xero Automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a high-risk attack surface by combining data ingestion from external sources with high-impact financial tools. • Ingestion points: Untrusted data enters the context via XERO_LIST_INVOICES, XERO_GET_CONTACTS, and XERO_LIST_ATTACHMENTS (SKILL.md). • Boundary markers: Absent; there are no delimiters or instructions to treat external Xero data as untrusted. • Capability inventory: The skill includes tools to modify financial states, specifically XERO_CREATE_PAYMENT and XERO_CREATE_BANK_TRANSACTION (SKILL.md). • Sanitization: Absent; no validation or filtering of external content is specified.
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill depends on a connection to an external MCP server at rube.app/mcp, which is a third-party dependency (SKILL.md).
Recommendations
- AI detected serious security threats
Audit Metadata