The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted data from the web via browser automation tools while maintaining high-privilege execution capabilities.
Ingestion points: Web content retrieved during browser operations and tool schemas returned by RUBE_SEARCH_TOOLS (SKILL.md).
Boundary markers: None present; the agent is instructed to use schemas directly from search results without validation.
Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow for the execution of arbitrary browser automation tasks and bulk operations (SKILL.md).
Sanitization: None mentioned; the skill prioritizes exact compliance with remote schemas over input validation.
[Unverifiable Dependencies] (MEDIUM): The skill requires the addition of a remote MCP server (https://rube.app/mcp). This endpoint is not within the provided list of trusted sources and acts as a remote dependency that defines the agent's available tools at runtime.
[Dynamic Execution] (MEDIUM): The skill explicitly forbids hardcoding tool logic, requiring the agent to fetch schemas via RUBE_SEARCH_TOOLS before every execution. This runtime assembly of tool arguments based on external data is a form of dynamic execution that could be exploited if the remote server is compromised or returns malicious schemas.

browserless-automation