box-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly searches and ingests arbitrary user-generated Box content (e.g., via BOX_SEARCH_FOR_CONTENT, BOX_DOWNLOAD_FILE, BOX_GET_FILE_INFORMATION and by searching "file_content", "comments", and "web_link" types), so the agent would read untrusted third‑party content stored on Box that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires adding and using the Rube MCP endpoint https://rube.app/mcp at runtime to provide RUBE_SEARCH_TOOLS/tool schemas and manage tool execution, so external content from that URL can directly control agent prompts and invoke remote code.