appdrag-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- External Downloads (HIGH): The skill requires connecting to an external MCP server at
https://rube.app/mcp. This domain is not within the defined trusted scope. The documentation states that no API keys are needed and the endpoint 'just works', which implies a lack of transparent authentication and full reliance on a third-party service's integrity. - Indirect Prompt Injection (HIGH): This skill exhibits a significant indirect prompt injection surface.
- Ingestion points: Untrusted data enters the agent context via
RUBE_SEARCH_TOOLS, which returns tool slugs, input schemas, 'recommended execution plans', and 'known pitfalls'. - Boundary markers: No boundary markers or instructions to ignore embedded instructions within the search results are present.
- Capability inventory: The skill possesses powerful write/execute capabilities through
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, allowing it to modify Appdrag infrastructure. - Sanitization: There is no evidence of sanitization or validation of the remote execution plans before the agent acts on them.
- Command Execution (HIGH): The skill facilitates the execution of arbitrary tools on the Appdrag platform via
RUBE_MULTI_EXECUTE_TOOL. Since the specific tools and their arguments are determined at runtime by an untrusted remote source, this constitutes a high risk of unauthorized command execution.
Recommendations
- AI detected serious security threats
Audit Metadata