canvas-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill automates Canvas, which contains untrusted user data (assignments, posts). It has 'write' and 'execute' capabilities through Rube MCP tools, creating a high-risk surface for indirect injection attacks. Evidence: 1. Ingestion points: Content fetched from Canvas API. 2. Boundary markers: Absent; no instructions to isolate data. 3. Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH for tool execution. 4. Sanitization: None provided.
- [External Downloads] (MEDIUM): Requires adding https://rube.app/mcp as an MCP server. This endpoint is not in the trusted source list and provides the logic for tool execution at runtime.
- [Dynamic Execution] (MEDIUM): The skill's behavior is determined by schemas fetched at runtime via RUBE_SEARCH_TOOLS, allowing for potential logic shifts if the remote provider is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata