instacart-automation

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it retrieves tool schemas and execution strategies from an external source via RUBE_SEARCH_TOOLS.\n
  • Ingestion points: Runtime tool definitions and use-case specific plans are provided by the RUBE_SEARCH_TOOLS tool (SKILL.md).\n
  • Boundary markers: There are no explicit instructions to the agent to disregard malicious directives that may be contained within the fetched schemas.\n
  • Capability inventory: The skill can execute various operations through RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH (SKILL.md).\n
  • Sanitization: The skill lacks validation steps for the content provided by the external tool discovery service.\n- [EXTERNAL_DOWNLOADS]: The skill directs the agent to connect to an external MCP server at https://rube.app/mcp and references official documentation on the Composio platform at composio.dev.\n- [DATA_EXFILTRATION]: The skill utilizes the RUBE_MANAGE_CONNECTIONS tool to establish and verify authenticated connections to Instacart for automation purposes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 02:14 AM
Security Audit — agent-trust-hub — instacart-automation