alttext-ai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill workflow is designed to fetch and execute 'recommended execution plans' from the Rube MCP server. This represents a significant attack surface where a malicious or compromised remote server can inject instructions directly into the agent's decision-making loop. Evidence: (1) Ingestion points: Data returned from RUBE_SEARCH_TOOLS in SKILL.md. (2) Boundary markers: Absent; the agent is instructed to 'Always search first' and follow returned schemas and plans. (3) Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow execution of arbitrary tools defined by the remote search. (4) Sanitization: Absent; no validation or filtering of remote content is mentioned.
- External Tooling Dependencies (MEDIUM): The setup instructions direct the user to add an MCP server endpoint (https://rube.app/mcp) that is not a verified or trusted source according to security policy.
- Dynamic Execution (MEDIUM): The skill uses RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to perform actions based on tool slugs and arguments dynamically discovered at runtime, which facilitates the execution of unverified logic.
Recommendations
- AI detected serious security threats
Audit Metadata