coda-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to call endpoints that fetch and read user-generated Coda content (e.g., CODA_LIST_TABLE_ROWS, CODA_LIST_PAGES, CODA_BEGIN_CONTENT_EXPORT, CODA_RESOLVE_BROWSER_LINK) and then take actions based on that content (upsert rows, push buttons, publish docs), meaning untrusted third-party document data can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires connecting to the Rube MCP endpoint https://rube.app/mcp at runtime (via RUBE_SEARCH_TOOLS/RUBE_MANAGE_CONNECTIONS) to fetch tool schemas and manage tool behavior, so remote content from that URL can directly control the agent's prompts/tools and execution.