beamer-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface due to processing untrusted data alongside execution capabilities.
- Ingestion points: The skill ingests tool schemas and execution plans from RUBE_SEARCH_TOOLS (rube.app) and data from Beamer tool outputs.
- Boundary markers: There are no markers or instructions to isolate or ignore embedded instructions within the fetched data or schemas.
- Capability inventory: The skill enables RUBE_MULTI_EXECUTE_TOOL (executing arbitrary tools) and RUBE_REMOTE_WORKBENCH (running remote workbench tasks), which are high-privilege operations.
- Sanitization: No sanitization or validation of the remote schemas or tool outputs is performed.
- Unverifiable Dependencies (MEDIUM): The skill mandates the use of https://rube.app/mcp as an MCP server. This domain is not within the defined trusted scope, making the entire tool discovery and execution logic dependent on an unvetted third party.
- Remote Code Execution (MEDIUM): The RUBE_REMOTE_WORKBENCH capability allows for remote tool execution based on schemas provided by the untrusted MCP endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata