botbaba-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs the user to add an untrusted external MCP server endpoint (https://rube.app/mcp) to their configuration.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: The agent ingests data from RUBE_SEARCH_TOOLS which is controlled by the external Rube service. 2. Boundary markers: Absent; no instructions are provided to the agent to ignore embedded commands in the search results. 3. Capability inventory: The skill uses RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to execute operations. 4. Sanitization: Absent; the agent is instructed to follow schemas and arguments provided by the external source without validation.
- [COMMAND_EXECUTION] (HIGH): The skill enables the execution of arbitrary tools via the Botbaba toolkit based on instructions fetched from a remote, untrusted source at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata