zoho_books-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from an external API and possesses significant side-effect capabilities.
- Ingestion points: Data retrieved from Zoho Books via
RUBE_MULTI_EXECUTE_TOOL(e.g., invoice descriptions, contact names, expense notes). - Boundary markers: Absent. The skill provides no instructions to the agent on how to delimit or ignore instructions embedded in the external data.
- Capability inventory: The skill can execute write operations (create invoices, payments) and run code via
RUBE_REMOTE_WORKBENCH. - Sanitization: None detected. Data from the API is used directly to drive subsequent agent decisions and tool calls.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill explicitly promotes the use of
RUBE_REMOTE_WORKBENCHto execute Python code (e.g., usingThreadPoolExecutor) for batch processing. While a feature of the toolkit, this dynamic execution environment could be exploited if the agent interpolates untrusted data from Zoho Books into the scripts it generates for the workbench. - [EXTERNAL_DOWNLOADS] (LOW): The skill requires connecting to an external MCP server at
https://rube.app/mcp. Per the security policy, this is flagged as an external dependency because the domain is not on the predefined list of trusted sources.
Recommendations
- AI detected serious security threats
Audit Metadata