brandfetch-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires connecting to an untrusted external MCP endpoint
https://rube.app/mcp. This source is outside the trusted scope and provides the logic for the agent's actions. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it fetches 'recommended execution plans' from an external source and instructs the agent to follow them.
- Ingestion points:
RUBE_SEARCH_TOOLSreturns schemas and execution plans from the remote server into the agent context. - Boundary markers: None present; the skill explicitly directs the agent to 'Always search tools first' and follow the returned guidance.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide broad tool execution capabilities across the Brandfetch toolkit. - Sanitization: None; the agent is instructed to use the 'exact field names' and recommended plans provided by the external search results.
- [COMMAND_EXECUTION] (HIGH): The skill enables execution of remote tools and management of connections based on instructions fetched at runtime from an unverified server, potentially allowing a malicious server to trigger unauthorized actions via the agent.
Recommendations
- AI detected serious security threats
Audit Metadata