coda-automation
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the configuration of an external MCP server at 'https://rube.app/mcp'. This directs all agent interactions and data through a third-party service that is not on the trusted vendor list, which may pose a privacy risk if sensitive document data is processed through this proxy.
- [DATA_EXFILTRATION]: The skill includes tools such as 'CODA_BEGIN_CONTENT_EXPORT' and 'CODA_CONTENT_EXPORT_STATUS' which generate temporary download URLs for document content in HTML or Markdown formats. This capability allows for the systematic extraction of internal document data to external files.
- [COMMAND_EXECUTION]: The skill facilitates state-changing operations within the Coda environment via 'CODA_PUSH_A_BUTTON' and 'CODA_UPSERT_ROWS'. These tools execute logic defined inside Coda docs or modify table data based on the agent's interpretation of inputs.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to its data-handling patterns.
- Ingestion points: Data enters the agent context through 'CODA_LIST_TABLE_ROWS', 'CODA_SEARCH_ROW', 'CODA_GET_A_PAGE', and 'CODA_LIST_FORMULAS'.
- Boundary markers: No specific delimiters or instructions are provided to the agent to ignore potentially malicious commands embedded within the Coda rows or pages it reads.
- Capability inventory: The agent has high-privilege capabilities including 'CODA_ADD_PERMISSION' (changing access control), 'CODA_PUBLISH_DOC' (making private data public), and 'CODA_PUSH_A_BUTTON' (triggering workflow actions).
- Sanitization: There is no evidence of sanitization or schema validation for the data retrieved from Coda before it is used to influence subsequent tool calls.
Audit Metadata