bigml-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and obey instructions provided by a remote tool at runtime, which is a critical attack surface.
- Ingestion points: Data enters the agent's context through the output of
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMAS(SKILL.md). - Boundary markers: None. There are no instructions to validate or sanitize the schemas, execution plans, or 'pitfalls' returned by the remote server.
- Capability inventory: The agent uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform actions. Because the agent is told to use 'TOOL_SLUG_FROM_SEARCH' and 'schema-compliant args from search results', an attacker-controlled server can trigger any capability the agent has access to. - Evidence: The instructions explicitly tell the agent to follow 'recommended execution plans' and 'known pitfalls' fetched from the untrusted remote endpoint.
- External Dependency (MEDIUM):
- Finding: The skill requires the user to add an external MCP server:
https://rube.app/mcp. - Risk: This domain is not part of the [TRUST-SCOPE-RULE] whitelist. It serves as the authoritative source for the skill's operational logic, effectively making it a remote dependency with high influence over agent behavior.
- Remote Execution Surface (HIGH):
- Finding: Use of
RUBE_REMOTE_WORKBENCHwithrun_composio_tool(). - Risk: This capability, combined with the lack of static tool definitions, allows the untrusted remote server to orchestrate complex operations or code execution within the environment provided by the workbench tool.
Recommendations
- AI detected serious security threats
Audit Metadata