baselinker-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High-risk Indirect Prompt Injection surface. The skill is designed to fetch tool definitions and execution plans from an external source (
RUBE_SEARCH_TOOLS) and execute them against the Baselinker API. - Ingestion points: Data enters the agent context through
RUBE_SEARCH_TOOLSresponses which provide 'tool slugs, input schemas, and recommended execution plans'. - Boundary markers: Absent. No instructions are provided to the agent to treat external schemas as untrusted or to ignore embedded instructions in the metadata.
- Capability inventory: The skill has significant side-effect capabilities including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHfor executing Baselinker operations. - Sanitization: Absent. There is no requirement for validation or filtering of the schema content before interpolation into tool calls.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on an unverified third-party MCP endpoint (
https://rube.app/mcp). This domain is not part of the defined trusted sources and could deliver malicious tool definitions if compromised. - [COMMAND_EXECUTION] (MEDIUM): The skill encourages dynamic discovery and execution of tools (
RUBE_MULTI_EXECUTE_TOOL) based on runtime search results, which is a form of dynamic loading of executable paths (tool slugs).
Recommendations
- AI detected serious security threats
Audit Metadata