The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill possesses a significant attack surface for indirect prompt injection (Category 8). It ingests untrusted data from external Addresszen tool outputs and search results, then feeds that data into execution-capable tools.
Ingestion points: Data returned by RUBE_SEARCH_TOOLS and specific Addresszen tool outputs (e.g., address data, customer records).
Boundary markers: Absent. There are no instructions to the agent to ignore instructions embedded within retrieved data.
Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL for performing actions with side effects and RUBE_REMOTE_WORKBENCH which likely allows broader execution environments.
Sanitization: None specified. The skill relies on 'schema compliance' but does not validate the content of string fields for malicious instructions.
[Unverifiable Dependencies] (MEDIUM): The skill requires the user to add an external, non-whitelisted MCP server: https://rube.app/mcp. This endpoint is not part of the trusted source list (e.g., Anthropic, OpenAI) and represents a third-party dependency with control over the tool schemas and execution logic provided to the agent.
[Command Execution] (MEDIUM): The skill documentation encourages the use of RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH. While intended for automation, these tools provide the capability to perform operations on external platforms that could be abused if the agent is compromised via injection.

addresszen-automation