all-images-ai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it fetches tool definitions, input schemas, and execution plans from an external source (rube.app) via the RUBE_SEARCH_TOOLS command. The instructions mandate that the agent must 'Always call RUBE_SEARCH_TOOLS first' and 'Use exact field names and types from the search results,' effectively delegating control of the agent's logic to the remote server. Evidence: 1. Ingestion points: RUBE_SEARCH_TOOLS response (referenced in SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH. 4. Sanitization: Absent.
- [External Downloads] (MEDIUM): The skill requires connecting to an external MCP server at https://rube.app/mcp. This endpoint is not a verified trusted source and provides the functional tool definitions and execution logic at runtime.
- [Remote Code Execution] (MEDIUM): The use of RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL to execute operations based on remotely-provided schemas allows for the execution of logic defined by an external party, which constitutes a dynamic execution path for untrusted data.
Recommendations
- AI detected serious security threats
Audit Metadata