botstar-automation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill requires connection to an external MCP server endpoint at https://rube.app/mcp. This source is not on the predefined trusted list but is a standard requirement for the tool's architecture.
- REMOTE_CODE_EXECUTION (LOW): The skill documentation references the RUBE_REMOTE_WORKBENCH tool, which enables remote execution of workflows. This is a core capability of the integrated toolkit rather than an exploit.
- COMMAND_EXECUTION (LOW): Use of RUBE_MULTI_EXECUTE_TOOL allows the agent to execute discovered actions based on dynamic schemas.
- INDIRECT_PROMPT_INJECTION (LOW): The skill's architecture relies on dynamic ingestion of tool schemas and execution plans, creating a surface for potential injection if the remote server is compromised.
- Ingestion points: RUBE_SEARCH_TOOLS response payloads which include tool slugs, input schemas, and execution plans (file: SKILL.md).
- Boundary markers: Absent. The skill does not provide delimiters or warnings to ignore instructions embedded within the fetched tool schemas.
- Capability inventory: RUBE_MULTI_EXECUTE_TOOL, RUBE_REMOTE_WORKBENCH, RUBE_MANAGE_CONNECTIONS.
- Sanitization: Absent. The agent is explicitly instructed to follow the exact field names and recommended execution plans returned by the search results without independent validation.
Audit Metadata