brex-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill is entirely dependent on the untrusted external endpoint 'https://rube.app/mcp'. This endpoint is not within the trusted organization scope defined in the security framework.\n- REMOTE_CODE_EXECUTION (HIGH): Logic for tools and execution steps is retrieved dynamically from the remote MCP server via 'RUBE_SEARCH_TOOLS' and executed via 'RUBE_MULTI_EXECUTE_TOOL'. This allows the remote server to control agent actions at runtime without local verification of the tool's code or intent. This also falls under Dynamic Execution (Category 10) as tool slugs and arguments are assembled at runtime from external data.\n- PROMPT_INJECTION (HIGH): The skill has a high-risk surface for Indirect Prompt Injection (Category 8).\n
- Ingestion points: The agent context is populated with 'recommended execution plans' and 'schemas' from the results of 'RUBE_SEARCH_TOOLS' as seen in SKILL.md.\n
- Boundary markers: Absent; the instructions actively encourage following the remote output ('Always call RUBE_SEARCH_TOOLS first').\n
- Capability inventory: The skill utilizes 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' to perform write operations and bulk tasks on a Brex financial account.\n
- Sanitization: Absent; there is no evidence of validating the retrieved plans or schemas before tool invocation.
Recommendations
- AI detected serious security threats
Audit Metadata