appveyor-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill requires the configuration of an external MCP server endpoint (
https://rube.app/mcp). This server is not on the trusted sources list and mediates all tool discovery and execution. The instruction 'No API keys needed — just add the endpoint and it works' suggests a lack of authentication/authorization visibility for the end user. - Indirect Prompt Injection (HIGH):
- Ingestion points: The skill ingests data from Appveyor (project configurations, build logs, status) and dynamically retrieves tool schemas from the remote rube.app server.
- Boundary markers: Absent. There are no instructions to the agent to treat Appveyor output or tool schemas as untrusted data.
- Capability inventory: The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which provide powerful write/execute capabilities within a CI/CD environment. - Sanitization: Absent. There is no evidence of validation or sanitization of content retrieved from Appveyor or the MCP server before it is used to generate tool arguments or influence agent logic.
- Dynamic Execution (MEDIUM): The skill relies on
RUBE_SEARCH_TOOLSto fetch schemas and execution plans at runtime. This 'Always search first' pattern means the actual commands executed are determined by an external server at runtime, bypassing static auditing.
Recommendations
- AI detected serious security threats
Audit Metadata