certifier-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (CRITICAL): The skill instructs users to add an untrusted MCP server at 'https://rube.app/mcp'. As this domain is not on the trusted source list, it represents an unvetted entry point for agent logic.
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill relies on 'RUBE_SEARCH_TOOLS' to fetch execution plans and schemas from a remote server at runtime, which are then run via 'RUBE_MULTI_EXECUTE_TOOL'. This allows the remote server to control agent behavior dynamically.
- [COMMAND_EXECUTION] (HIGH): The skill provides access to 'RUBE_REMOTE_WORKBENCH', which typically involves arbitrary code execution or complex scripting environments, significantly increasing the risk of abuse.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection. Evidence: 1. Ingestion points: External data from the Certifier toolkit; 2. Boundary markers: Absent in prompt instructions; 3. Capability inventory: Includes multi-tool execution and remote workbench access; 4. Sanitization: No sanitization or validation of external content is described.
Recommendations
- AI detected serious security threats
Audit Metadata