browseai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to interact with external web content via Browseai, making it a high-risk target for indirect prompt injection. \n
- Ingestion points: External data retrieved from the web via Browseai tools. \n
- Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions embedded in the retrieved content. \n
- Capability inventory: The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which allow the agent to execute actions with side effects based on potentially poisoned input. \n - Sanitization: Absent. No validation or filtering of external data is specified before it is processed by the agent. \n- Unverifiable Dependencies & Remote Execution (MEDIUM): The skill requires a remote MCP server connection to
https://rube.app/mcp. This server provides the tool definitions and handles the logic at runtime. This external dependency is not within the defined trusted source scope. \n- Dynamic Execution (MEDIUM): Tool schemas and slugs are dynamically retrieved viaRUBE_SEARCH_TOOLSand then executed. This means the agent's available functions and their parameters are controlled by a remote server at runtime, which could be manipulated to inject malicious tool parameters.
Recommendations
- AI detected serious security threats
Audit Metadata