-2chat-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to automate 2chat, which inherently involves ingesting untrusted data from external chat messages. It possesses high-privilege capabilities including RUBE_MULTI_EXECUTE_TOOL and RUBE_MANAGE_CONNECTIONS. Evidence: (1) Ingestion points: 2chat messages via the _2chat toolkit. (2) Boundary markers: Absent. (3) Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_MANAGE_CONNECTIONS. (4) Sanitization: Absent. Malicious instructions in chat data could hijack the agent's control flow to execute unauthorized tools.
- Unverifiable Dependencies (MEDIUM): The skill directs users to add an untrusted MCP server endpoint (https://rube.app/mcp). This host is not a trusted source and is not the official domain for the mentioned Composio service. This third party controls the tool schemas and slugs provided to the agent.
- Remote Code Execution (MEDIUM): The workflow relies on fetching tool schemas from an unverified remote source (RUBE_SEARCH_TOOLS) and executing them (RUBE_MULTI_EXECUTE_TOOL). This allows a remote entity to dynamically define the logic and parameters of the tools the agent executes.
- Command Execution (MEDIUM): The skill encourages the use of a multi-execute tool pattern which allows for the execution of arbitrary tool slugs discovered at runtime from the remote MCP server.
Recommendations
- AI detected serious security threats
Audit Metadata