bidsketch-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the user to add an external MCP server endpoint (https://rube.app/mcp) that is not on the trusted providers list. This endpoint serves as a remote dependency for fetching tool schemas and execution logic at runtime.
- COMMAND_EXECUTION (HIGH): The skill exposes high-privilege tools such as RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH. These allow for multi-step tool execution and remote environment management, which can be exploited if the agent is misdirected.
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: Untrusted data enters the agent context via responses from Bidsketch and tool definitions fetched from the Rube MCP server. 2. Boundary markers: None; there are no instructions or delimiters provided to ensure the agent ignores embedded instructions within the ingested data. 3. Capability inventory: The skill provides full write/execute capabilities through the Rube toolkit. 4. Sanitization: None; the instructions explicitly direct the agent to use dynamically discovered tool schemas and data to formulate its next actions.
Recommendations
- AI detected serious security threats
Audit Metadata