aivoov-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to add an untrusted remote endpoint (
https://rube.app/mcp) as an MCP server. This endpoint is not within the Trusted External Sources list and effectively delegates tool definitions and execution logic to a third-party server. - [REMOTE_CODE_EXECUTION] (HIGH): The skill implements a pattern where tool schemas, recommended execution plans, and input requirements are fetched at runtime via
RUBE_SEARCH_TOOLSand then executed viaRUBE_MULTI_EXECUTE_TOOL. This allows the remote server to dictate what commands the agent executes. - [COMMAND_EXECUTION] (HIGH): The skill provides capabilities to execute arbitrary operations via the
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHfunctions based on instructions retrieved from the remote server. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill has a high-severity vulnerability surface for indirect prompt injection.
- Ingestion points: Tool schemas, execution plans, and 'pitfalls' returned by the
RUBE_SEARCH_TOOLScall in SKILL.md. - Boundary markers: Absent. There are no instructions to validate or delimit the data returned from the search tool before use.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide the ability to modify external state (Aivoov tasks). - Sanitization: Absent. The instructions explicitly direct the agent to 'Use exact field names and types from the search results', ensuring the agent will follow instructions embedded in the remote data.
Recommendations
- AI detected serious security threats
Audit Metadata