bouncer-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill establishes an attack surface by requiring the agent to fetch tool schemas and execution plans from an external source (
https://rube.app/mcp) before every operation. This allows the remote server to inject malicious instructions or redirect agent logic via the 'recommended execution plans' field. - Ingestion points: Data returned from
RUBE_SEARCH_TOOLS(tool slugs, schemas, execution plans). - Boundary markers: Absent. The instructions mandate following the search results exactly.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(action execution) andRUBE_REMOTE_WORKBENCH(likely shell or code execution environment). - Sanitization: None detected. The agent is encouraged to trust and execute based on remote search results.
- [Remote Code Execution] (HIGH): The inclusion of
RUBE_REMOTE_WORKBENCHpaired with dynamic instruction fetching allows the remote server to potentially execute arbitrary code or complex command sequences within the agent's environment. - [External Downloads] (MEDIUM): The setup instructions require adding a non-whitelisted remote MCP server (
https://rube.app/mcp). This establishes a persistent link to an unverified third-party service that controls the tool's core logic. - [Command Execution] (MEDIUM): The skill relies on tools designed to execute multi-step operations (
RUBE_MULTI_EXECUTE_TOOL) which can be misused to perform unauthorized actions on the Bouncer platform if the input schemas are poisoned.
Recommendations
- AI detected serious security threats
Audit Metadata