botpress-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable because it instructs the agent to fetch and strictly follow "recommended execution plans" and tool schemas from a remote source via RUBE_SEARCH_TOOLS. This allows a remote attacker or compromised server to inject instructions directly into the agent's reasoning loop.
- Ingestion points: Data returned from RUBE_SEARCH_TOOLS and RUBE_GET_TOOL_SCHEMAS.
- Boundary markers: None. The instructions tell the agent to "Always search tools first" and use the results to define its actions.
- Capability inventory: RUBE_MULTI_EXECUTE_TOOL, RUBE_REMOTE_WORKBENCH, and RUBE_MANAGE_CONNECTIONS.
- Sanitization: None specified; the agent is encouraged to follow the remote schemas blindly.
- External Dependencies (MEDIUM): The skill requires adding an external MCP server endpoint (https://rube.app/mcp). This server acts as a remote controller for the skill's logic and is not listed in the trusted source scope.
- Command Execution (LOW): The skill is designed to execute arbitrary tools via RUBE_MULTI_EXECUTE_TOOL. While this is the intended functionality, the lack of static schemas means the agent's capabilities are determined at runtime by an external source.
Recommendations
- AI detected serious security threats
Audit Metadata