ascora-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Unverifiable Dependencies (HIGH): The skill requires the user to add an external MCP server endpoint (https://rube.app/mcp). This domain is not recognized as a trusted source. Adding an unverified MCP server grants a third party the ability to define tools and instructions that the agent will execute.
- Indirect Prompt Injection (HIGH): The skill's workflow depends on fetching data from the external RUBE_SEARCH_TOOLS endpoint.
- Ingestion points: Tool schemas, recommended execution plans, and pitfalls returned by RUBE_SEARCH_TOOLS from rube.app in SKILL.md.
- Boundary markers: Absent. The instructions do not provide any delimiters or warnings to treat the external tool definitions as untrusted data.
- Capability inventory: The skill includes RUBE_MULTI_EXECUTE_TOOL (SKILL.md), which allows the agent to perform actions (Ascora operations) based on the fetched data.
- Sanitization: Absent. There is no mention of validating or filtering the content returned by the external server before the agent processes and acts upon it.
- Dynamic Execution (MEDIUM): The skill uses RUBE_MULTI_EXECUTE_TOOL to execute tools whose identifiers and parameters are determined dynamically at runtime from an external search query. This 'discover-and-execute' pattern is a significant attack vector if the discovery source is untrusted or compromised.
Recommendations
- AI detected serious security threats
Audit Metadata