buildkite-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill relies on
RUBE_SEARCH_TOOLSto fetch schemas and execution plans at runtime. - Ingestion points: Data enters from
https://rube.app/mcpand potentially from Buildkite build metadata. - Boundary markers: None present in the instructions to prevent the agent from obeying instructions embedded in the tool schemas or Buildkite data.
- Capability inventory: Access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(file/command execution equivalents in a CI context). - Sanitization: No evidence of sanitization for the dynamic tool arguments fetched from the remote server.
- Remote Code/Command Execution (HIGH): The tools
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHallow for complex operations within a Buildkite environment. Because the logic and parameters for these tools are determined by a remote server at runtime, it constitutes a remote instruction execution vector. - External Dependency (MEDIUM): The skill requires connecting to
https://rube.app/mcp. This third-party endpoint is not on the trusted sources list. Any compromise of this service would allow an attacker to inject malicious tool definitions directly into the agent's workflow. - Privilege Access (HIGH): The skill specifically automates Buildkite, which is a high-privilege system. Unauthorized access or injection could lead to secret theft (AWS keys, etc. stored in Buildkite) or malicious code injection into the software supply chain.
Recommendations
- AI detected serious security threats
Audit Metadata