carbone-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to add https://rube.app/mcp as a remote MCP server. This domain is not included in the Trusted External Sources list, making it an unverifiable dependency that defines the agent's available tools.
- COMMAND_EXECUTION (MEDIUM): Workflows rely on RUBE_SEARCH_TOOLS to retrieve tool schemas and execution plans at runtime from a remote server, which are then executed via RUBE_MULTI_EXECUTE_TOOL. This allows the remote server to dictate the logic and parameters of local tool execution.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from the search tool to guide subsequent actions. 1. Ingestion points: Tool metadata and schemas from RUBE_SEARCH_TOOLS. 2. Boundary markers: None present; the agent is told to 'Always search first' and follow search results strictly. 3. Capability inventory: Includes tool execution and remote workbench operations. 4. Sanitization: None specified in the instructions.
Audit Metadata