ably-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary workflow involves fetching execution plans and schemas from a remote tool (
RUBE_SEARCH_TOOLS) and passing them directly to execution tools (RUBE_MULTI_EXECUTE_TOOL). - Ingestion points: Data enters the agent context via the output of
RUBE_SEARCH_TOOLS(specifically tool slugs, schemas, and execution plans). - Boundary markers: None. The instructions do not provide delimiters or warnings to the agent to disregard instructions embedded within the search results.
- Capability inventory: The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, allowing the agent to perform side-effect-heavy operations on Ably infrastructure. - Sanitization: Absent. The agent is explicitly told to use 'exact field names and types' from search results.
- Unverifiable Dependencies (MEDIUM): The skill directs the user to add
https://rube.app/mcpas an MCP server. This source is not in the [TRUST-SCOPE-RULE] list. The security of the Ably operations depends entirely on the integrity of this remote endpoint. - Dynamic Execution (MEDIUM): The 'Core Workflow Pattern' demonstrates a high degree of dynamic logic where the agent's behavior is constructed at runtime based on the search results from the remote server, rather than following static, pre-defined safety paths.
Recommendations
- AI detected serious security threats
Audit Metadata