The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill requires the installation of a remote Model Context Protocol (MCP) server from https://rube.app/mcp. This domain is not on the list of trusted sources. Because this server handles sensitive Ashby ATS data, including API authentication and PII, using an untrusted external service represents a significant supply chain risk.
PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from candidate profiles, LinkedIn URLs, and internal notes which are then processed by the agent. A malicious actor could embed instructions in a LinkedIn profile or candidate note that, when read by the agent, could trigger unauthorized actions such as creating job postings, modifying candidate data, or exfiltrating sensitive recruiter notes.
Ingestion points: ASHBY_GET_CANDIDATE_INFO, ASHBY_LIST_CANDIDATE_NOTES, ASHBY_SEARCH_CANDIDATES.
Boundary markers: None present in the documentation or tool descriptions to delimit untrusted data from instructions.
Capability inventory: The skill has high-impact write capabilities, including ASHBY_CREATE_JOB, ASHBY_UPDATE_CANDIDATE, and ASHBY_CREATE_APPLICATION.
Sanitization: No evidence of sanitization or instruction-filtering for external content.
DATA_EXFILTRATION (MEDIUM): While not explicitly exfiltrating to an attacker-controlled domain, the skill directs all sensitive recruiting data through a third-party intermediary (rube.app via Composio) to function. This architecture inherently exposes PII to an external party outside of the primary ATS (Ashby) and the AI provider's trust boundaries.

Ashby Automation