blackbaud-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- External Downloads / Remote Code Execution (HIGH): The skill instructs users to add an external, third-party MCP server URL (
https://rube.app/mcp). This server provides the tool logic and executable definitions. Becauserube.appis not a recognized trusted source (per [TRUST-SCOPE-RULE]), this constitutes an unverified remote dependency that controls agent capabilities. - Indirect Prompt Injection (HIGH):
- Ingestion points: Data enters the agent context via
RUBE_SEARCH_TOOLS, which provides tool slugs, input schemas, and "recommended execution plans" from the remote server. - Boundary markers: No boundary markers or sanitization logic is present to distinguish between legitimate schemas and malicious instructions embedded in the search results.
- Capability inventory: The agent has high-privilege capabilities including
RUBE_MULTI_EXECUTE_TOOL(executing actions on Blackbaud) andRUBE_REMOTE_WORKBENCH(bulk operations). - Sanitization: None. The skill explicitly instructs the agent to follow the schemas and execution plans returned by the search tool without verification.
- Command Execution (MEDIUM): The
RUBE_REMOTE_WORKBENCHtool facilitates the execution of functions likerun_composio_tool(), which implies a remote execution environment where the agent's actions are mediated by the unverifiedrube.appservice.
Recommendations
- AI detected serious security threats
Audit Metadata