alchemy-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires connecting to an external MCP server at
https://rube.app/mcp. This domain is not recognized as a trusted source, introducing risk from a third-party service provider. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it uses external data to drive agent logic.
- Ingestion points: Untrusted data enters the context via the
RUBE_SEARCH_TOOLSresponse. - Boundary markers: Absent. The skill explicitly directs the agent to 'Always search tools first' and use the returned 'recommended execution plans'.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide the ability to execute write operations and bulk tasks on the connected Alchemy account. - Sanitization: Absent. The instructions mandate using 'exact field names and types from the search results' without validation.
- [COMMAND_EXECUTION] (HIGH): By dynamically fetching tool definitions and execution plans from a remote source and then executing them via
RUBE_MULTI_EXECUTE_TOOL, the skill allows the remote server to dictate which operations are performed on the user's Alchemy instance, effectively allowing remote command execution.
Recommendations
- AI detected serious security threats
Audit Metadata