apiflash-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exhibits a significant vulnerability to tool output poisoning.
- Ingestion points: The agent is instructed to call
RUBE_SEARCH_TOOLSinSKILL.md, which returns 'recommended execution plans' and 'pitfalls' from a third-party server (rube.app). - Boundary markers: None. There are no delimiters or instructions to treat the search results as untrusted data.
- Capability inventory: The agent has access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(referenced inSKILL.md), allowing the injected plans to trigger powerful tool executions or bulk operations. - Sanitization: None. The instructions mandate using 'exact field names and types' from the untrusted search results.
- Unverifiable Dependency & Remote Execution (HIGH): The skill requires connection to
https://rube.app/mcp, an external MCP server not included in the Trusted External Sources list. - The use of
RUBE_REMOTE_WORKBENCHfor 'bulk ops' implies a remote execution environment where the tool logic is handled externally. - The claim 'No API keys needed' suggests that authentication tokens or session proxies are managed by the third-party endpoint, creating a trust dependency for credential handling.
- Metadata/Trust Confusion (MEDIUM): The instructions encourage users to add a third-party endpoint directly to their MCP configuration without clearly documenting the security implications of delegating tool discovery and execution planning to an unverified external entity.
Recommendations
- AI detected serious security threats
Audit Metadata