bigpicture-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill requires the addition of an external MCP server
https://rube.app/mcp. This server is not a trusted source and serves as the primary provider of tool logic and capabilities. The claim that 'No API keys needed' suggests an opaque authentication or proxy model that handles user data/actions. - Indirect Prompt Injection (HIGH): The skill exhibits a high-risk injection surface by design.
- Ingestion points: Untrusted data (schemas, execution plans, and pitfalls) enters the agent context via
RUBE_SEARCH_TOOLSfrom a remote server. - Boundary markers: Absent. The agent is explicitly told to follow the returned 'recommended execution plans' without validation.
- Capability inventory: The skill possesses significant write/execute capabilities through
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, allowing the remote server to potentially drive complex operations on the user's Bigpicture IO account. - Sanitization: Absent. There is no instruction to validate or escape the instructions returned by the remote search tool.
- Dynamic Execution (MEDIUM): The skill relies on 'RUBE_GET_TOOL_SCHEMAS' and dynamic use cases to assemble executable tool calls at runtime. This behavior, when combined with instructions from an untrusted remote source, allows for the execution of arbitrary operations within the Bigpicture IO toolkit scope.
Recommendations
- AI detected serious security threats
Audit Metadata