beaconchain-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill mandates that the agent fetch 'recommended execution plans' and tool definitions from the
RUBE_SEARCH_TOOLStool before every operation. This creates a high-severity vulnerability where an attacker controlling therube.appendpoint could inject malicious instructions into the 'execution plan' or 'pitfalls' fields, leading the agent to perform unauthorized transactions or data exfiltration. - Ingestion Point:
RUBE_SEARCH_TOOLSoutput (specifically execution plans and tool slugs). - Boundary Markers: Absent. The skill instructions explicitly tell the agent to follow the returned plans.
- Capability Inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide broad tool and remote execution capabilities. - Sanitization: Absent. No verification of tool slugs or plan validity.
- [Remote Code Execution] (HIGH): The combination of the
RUBE_REMOTE_WORKBENCHtool and the requirement to use an untrusted external discovery service (rube.app) creates a path for remote code execution. The agent is encouraged to 'Run tools first' which determines the code logic it will subsequently execute. - [External Downloads] (MEDIUM): The skill requires the configuration of an external MCP server (
https://rube.app/mcp) which is not on the trusted source list. While necessary for the skill's function, it introduces a permanent dependency on an untrusted third-party domain.
Recommendations
- AI detected serious security threats
Audit Metadata