accelo-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface. The skill fetches tool schemas and 'recommended execution plans' from an external source (rube.app) and is instructed to follow them explicitly. * Ingestion point: Tool definitions and execution guidance retrieved via RUBE_SEARCH_TOOLS in SKILL.md. * Boundary markers: Absent. No instructions exist to treat external tool descriptions as untrusted or to ignore embedded instructions. * Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH provide significant side-effect capabilities (Accelo data modification). * Sanitization: None. The agent is explicitly told to follow the returned execution plans and pitfalls.
- [REMOTE_CODE_EXECUTION] (HIGH): Remote Tool Definition. The skill requires adding https://rube.app/mcp as a remote MCP server. This endpoint dynamically defines the tools and logic the agent can execute. Since the source is not on the trusted list, this is a high-risk remote dependency that delegates agent behavior to a third party.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Dependency on an external, unverified MCP endpoint. The setup instructions bypass standard security reviews by suggesting the endpoint 'just works' without credentials, which may obscure the data flow or authorization model.
Recommendations
- AI detected serious security threats
Audit Metadata