basin-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to configure a remote MCP server (https://rube.app/mcp) that is not on the trusted list. This creates a dependency on unverified third-party infrastructure for the agent's operational logic.
- [COMMAND_EXECUTION] (HIGH): The skill employs powerful execution capabilities through RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH. These tools permit state-changing operations and remote script execution on the Basin platform.
- [PROMPT_INJECTION] (HIGH): This skill presents a high-risk surface for Indirect Prompt Injection because it dynamically fetches tool schemas and 'recommended execution plans' from the external server. 1. Ingestion points: RUBE_SEARCH_TOOLS retrieves instructions and schemas from the untrusted rube.app server. 2. Boundary markers: Absent; the instructions explicitly tell the agent to 'Always search first' and follow the results. 3. Capability inventory: High-privilege execution via multi-tool and workbench calls. 4. Sanitization: Absent; the agent is directed to use exact field names and types provided by the external source. A compromised server could return malicious plans that the agent would follow to perform unauthorized actions.
Recommendations
- AI detected serious security threats
Audit Metadata