browserbase-tool-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill relies on an external MCP server at
https://rube.app/mcp. While necessary for the skill's function, this endpoint is not part of the trusted organization list and represents a third-party dependency. - COMMAND_EXECUTION (MEDIUM): The skill follows a pattern of dynamic tool execution. It retrieves tool slugs and argument schemas at runtime via
RUBE_SEARCH_TOOLSand then executes them usingRUBE_MULTI_EXECUTE_TOOL. This dynamic assembly of executable tool calls based on external data is a notable attack surface if the remote source is compromised or untrusted. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the context via the
RUBE_SEARCH_TOOLSresponse inSKILL.md. - Boundary markers: Absent; there are no instructions to delimit or ignore instructions within the fetched schemas.
- Capability inventory: The skill can execute tools via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: Absent; the instructions explicitly tell the agent to use the 'exact field names and types' provided by the search results.
Audit Metadata