backendless-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) by design. It directs the agent to ingest and act upon 'recommended execution plans' and tool schemas fetched from an external source. Ingestion points: Results from RUBE_SEARCH_TOOLS and RUBE_GET_TOOL_SCHEMAS. Boundary markers: Absent; instructions explicitly command following the search results. Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow for write and execute operations on Backendless environments. Sanitization: Absent; the agent is not instructed to validate or filter the external suggestions before execution.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on an unverified external MCP server endpoint at 'https://rube.app/mcp'. This domain is not within the defined trusted scope, creating a risk that malicious tools or instructions could be served directly to the agent's runtime.
- [COMMAND_EXECUTION] (MEDIUM): The skill facilitates complex operations and bulk automation through RUBE_MULTI_EXECUTE_TOOL. While these are presented as tools, the ability to execute sequences of operations based on dynamic, externally-controlled schemas constitutes a significant execution risk if the discovery source is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata