botsonic-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core workflow relies on processing untrusted data from an external source to determine agent behavior.
- Ingestion points: Data returned by
RUBE_SEARCH_TOOLSfrom the remote endpointhttps://rube.app/mcp. - Boundary markers: Absent. There are no instructions to sanitize or verify the 'recommended execution plans' or schemas returned by the remote server.
- Capability inventory: The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which allow for broad tool execution and bulk operations. - Sanitization: Absent. The agent is explicitly told to 'Always search tools first' and use the 'exact field names and types from the search results'.
- Remote Code Execution (HIGH): The setup instructions require adding an unverified third-party MCP server (
https://rube.app/mcp). Since MCP servers define tool logic and can execute code, connecting to an untrusted endpoint is equivalent to allowing remote code influence over the agent's environment. - Dynamic Execution (HIGH): The 'Core Workflow Pattern' involves fetching tool definitions at runtime and immediately executing them. This 'lookup-and-execute' pattern prevents any static safety verification of the tools being run, as their behavior is defined by the remote server at the moment of execution.
Recommendations
- AI detected serious security threats
Audit Metadata