breeze-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from an external source (Breeze) and possesses high-privilege capabilities.
- Ingestion points: Data returned from Breeze via
RUBE_MULTI_EXECUTE_TOOLandRUBE_SEARCH_TOOLS(as documented in SKILL.md). - Boundary markers: Absent. There are no instructions to the agent to delimit or ignore instructions embedded within retrieved Breeze data.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(write/modify data) andRUBE_REMOTE_WORKBENCH(arbitrary tool execution) in SKILL.md. - Sanitization: Absent. No validation or filtering of content retrieved from the external toolkit is mentioned.
- [External Downloads] (MEDIUM): The setup instructions require the user to add an external third-party MCP server (
https://rube.app/mcp). This source is not within the defined [TRUST-SCOPE-RULE] list, meaning the execution logic is entirely controlled by an unverified remote provider. - [Remote Code Execution] (MEDIUM): The
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLpatterns allow the agent to execute operations on remote infrastructure. While intended for Breeze automation, the lack of local control over the tool logic presents a risk of arbitrary execution if the remote provider is compromised or malicious.
Recommendations
- AI detected serious security threats
Audit Metadata