anchor-browser-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a high-risk surface by processing untrusted data (web page content) and providing tools with side effects.
- Ingestion points: External data from the browser is ingested via the Anchor Browser toolkit.
- Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, allowing for complex actions and potential code execution.
- Boundary markers: None identified in the skill instructions to prevent the agent from obeying instructions found on web pages.
- Sanitization: No evidence of sanitization or filtering of external content before it reaches the LLM context.
- Remote Code Execution (MEDIUM): The skill utilizes RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL to execute operations on a remote server. The lack of clear constraints on the run_composio_tool() function within the workbench could lead to arbitrary code execution if compromised.
- External Dependency (LOW): The skill requires connecting to an external MCP endpoint (https://rube.app/mcp). While typical for MCP, this source is not on the pre-approved trusted list, necessitating manual verification of the provider's security posture.
Recommendations
- AI detected serious security threats
Audit Metadata