amcards-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to add 'https://rube.app/mcp' as an MCP server. This endpoint is not within the trusted source whitelist and represents a persistent connection to an unverified external service.
- [REMOTE_CODE_EXECUTION] (HIGH): By adding a remote MCP server, the agent is configured to execute tools defined and controlled by that server. The 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' commands allow for the execution of arbitrary logic provided by the remote endpoint.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill workflow (Category 8) relies on 'RUBE_SEARCH_TOOLS' to fetch 'current tool schemas' and 'recommended execution plans'.
- Ingestion points: Tool schemas and execution instructions are ingested from the rube.app API during 'RUBE_SEARCH_TOOLS' calls.
- Boundary markers: None. The agent is explicitly told to follow the 'recommended execution plans' returned by the search results.
- Capability inventory: The skill uses 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH', allowing for broad execution and bulk operations on external integrations (Amcards).
- Sanitization: None. The skill prioritizes the remote schema over local constraints, stating 'Never hardcode tool slugs or arguments without calling RUBE_SEARCH_TOOLS'.
- [DYNAMIC_EXECUTION] (MEDIUM): The skill utilizes runtime discovery of executable tool schemas. While standard for MCP, when combined with an untrusted remote source, it facilitates the dynamic injection of logic into the agent's workflow.
Recommendations
- AI detected serious security threats
Audit Metadata