agent-mail-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires connecting to an external MCP server endpoint at https://rube.app/mcp. This source is not verified or listed as a trusted organization, allowing an unvetted third party to define and update the agent's available tools.\n- REMOTE_CODE_EXECUTION (MEDIUM): Tools such as RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL execute logic and workflows provided by the remote MCP server. Using untrusted remote providers introduces a risk of arbitrary tool execution controlled by the remote endpoint.\n- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it is designed to ingest and act upon data from external emails.\n
- Ingestion points: External email content processed via the agent_mail toolkit (referenced in SKILL.md).\n
- Boundary markers: No specific delimiters or instructions to ignore embedded commands are implemented to separate data from instructions.\n
- Capability inventory: The agent has access to RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH (SKILL.md), which can perform sensitive operations if triggered by malicious email content.\n
- Sanitization: No sanitization or validation of the ingested email data is described in the skill.
Audit Metadata