byteforms-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- External Downloads (HIGH): The skill directs the user to add an external MCP server endpoint (
https://rube.app/mcp) which is not a verified trusted source. This facilitates the injection of untrusted capabilities into the agent context. - Remote Code Execution (HIGH): The skill utilizes tools such as
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLto perform operations defined by the untrusted external server. - Indirect Prompt Injection (HIGH): The skill relies on
RUBE_SEARCH_TOOLSto fetch schemas and execution logic at runtime. - Ingestion points: Data returned from the
rube.appendpoint via MCP tool calls. - Boundary markers: None; the agent is instructed to 'Always search tools first' and follow the returned schemas implicitly.
- Capability inventory: Tool execution (
RUBE_MULTI_EXECUTE_TOOL), remote workbench access (RUBE_REMOTE_WORKBENCH), and connection management (RUBE_MANAGE_CONNECTIONS). - Sanitization: None; instructions explicitly tell the agent to use 'exact field names and types' from the unverified remote search results.
- Command Execution (HIGH): The skill facilitates the execution of arbitrary tools based on dynamically discovered parameters, allowing a remote actor to control the agent's actions through the tool schema definitions.
Recommendations
- AI detected serious security threats
Audit Metadata