bubble-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted data from the Bubble platform and execute actions based on tool outputs.
- Ingestion points: Data retrieved via tools discovered through
RUBE_SEARCH_TOOLSand subsequent execution responses. - Boundary markers: None. The instructions do not specify any delimiters or ignore-instructions for the data retrieved from external sources.
- Capability inventory: Significant write/execute capabilities via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHwhich can modify Bubble application state or data. - Sanitization: Absent. The skill instructions focus on schema compliance rather than content validation or sanitization.
- [External Downloads & Remote Code Execution] (MEDIUM): The skill requires the user to add an external, untrusted MCP server endpoint (
https://rube.app/mcp). This server controls the tool definitions and execution logic, effectively acting as remote code that is not from a trusted source (e.g., Anthropic, OpenAI, or Microsoft). - [Data Exposure] (LOW): While the skill uses a centralized gateway (
Rube MCP) to manage connections, it directs users to follow authentication links provided by the untrusted server, which could potentially be used for phishing or credential harvesting if the endpoint is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata