close-automation
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires adding 'https://rube.app/mcp' as an MCP server. This domain is not included in the list of trusted organizations or repositories. External MCP services act as intermediaries that define and potentially execute logic, creating a dependency on an unverified third party for CRM operations.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8) as it retrieves and processes untrusted data from an external CRM. 1. Ingestion points: CLOSE_GET_NOTE (reads existing notes that could contain malicious instructions); 2. Boundary markers: Absent (no instructions to ignore content within CRM fields); 3. Capability inventory: CLOSE_CREATE_SMS, CLOSE_CREATE_TASK, CLOSE_DELETE_CALL (capabilities that could be triggered or influenced by malicious data); 4. Sanitization: Absent (no evidence of filtering or escaping retrieved content).
Audit Metadata