bart-automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [External Dependencies] (MEDIUM): The skill requires the rube MCP server, directing users to connect to
https://rube.app/mcp. This is an external endpoint not included in the Trusted External Sources list. The instruction stating 'No API keys needed' suggests the server might handle authentication internally or act as a proxy, which requires trust in the third-party provider. - [Indirect Prompt Injection] (MEDIUM): The skill implements a mandatory dynamic discovery pattern via
RUBE_SEARCH_TOOLS. - Ingestion points: The agent ingests tool slugs, input schemas, and 'recommended execution plans' from the remote server response.
- Boundary markers: None provided in the instructions.
- Capability inventory: The agent can perform actions via
RUBE_MULTI_EXECUTE_TOOLbased on the ingested data. - Sanitization: None; the skill explicitly instructs the agent to use the exact field names and recommended plans returned by the server. If the server returns a malicious tool definition or plan, the agent is primed to follow it.
- [Dynamic Execution] (LOW): The skill uses
RUBE_MULTI_EXECUTE_TOOLto execute tools discovered at runtime. While this is the intended functionality of the toolkit, it inherits the risk level of the remote discovery source.
Audit Metadata