canny-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Prompt Injection (HIGH): Vulnerable to Indirect Prompt Injection due to processing external Canny content with significant side-effect capabilities. \n
- Ingestion points: Canny feedback data, comments, and task descriptions processed by the agent in file SKILL.md. \n
- Boundary markers: Absent; there are no instructions to treat Canny data as untrusted or to delimit it from agent instructions. \n
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide arbitrary tool execution and remote workbench capabilities (SKILL.md). \n - Sanitization: Absent; the workflow relies on dynamic discovery and execution without validation of the source data content.\n- External Downloads (MEDIUM): The skill requires the configuration of an external MCP server at
https://rube.app/mcp. This is a non-whitelisted remote dependency that acts as the execution engine for all Canny operations and handles potentially sensitive connection data.\n- Command Execution (MEDIUM): UsesRUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations. These tools facilitate dynamic execution of actions based on schemas fetched at runtime, which increases the attack surface if the discovery process or the input data is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata