coda-automation
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Instructs users to configure a remote MCP server using the endpoint
https://rube.app/mcp. This involves connecting to an external third-party domain to fetch tool schemas and execution logic. - [REMOTE_CODE_EXECUTION]: Relies on remote capability loading via the MCP protocol from an unverified source. The agent's available tools are defined and potentially updated by the external server at runtime.
- [DATA_EXFILTRATION]: Provides instructions for exporting document content to external URLs. While a standard feature of the Coda API, the use of an unverified intermediary MCP service (rube.app) creates a potential path for data observation or redirection.
- [PROMPT_INJECTION]: Contains a surface for indirect prompt injection (Category 8). Ingestion points: The skill ingests untrusted data from external sources such as Coda documents and rows via
CODA_LIST_TABLE_ROWSandCODA_SEARCH_ROW(found inSKILL.md). Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the workflows. Capability inventory: The skill possesses high-impact write capabilities includingCODA_UPSERT_ROWS,CODA_ADD_PERMISSION, andCODA_PUBLISH_DOC(found inSKILL.md). Sanitization: No evidence of input sanitization or validation is described in the prompt construction logic.
Audit Metadata