chatfai-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to add a remote MCP server at
https://rube.app/mcp. This domain is not among the trusted organizations (like Anthropic, OpenAI, or Google), meaning the tool definitions provided to the agent are unverifiable and controlled by an external party. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill utilizes
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLto perform actions. Since these tools are defined dynamically by the remote server viaRUBE_SEARCH_TOOLS, the agent is effectively executing remote logic that can change without notice. - [Indirect Prompt Injection] (LOW): The skill has a significant attack surface for indirect injection because it dynamically ingests instructions from an external source.
- Ingestion points: Tool schemas and execution plans are fetched from the remote
rube.appendpoint viaRUBE_SEARCH_TOOLS(File: SKILL.md). - Boundary markers: No boundary markers or 'ignore' instructions are used when processing the external schema data.
- Capability inventory: Access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovides high-privilege execution capabilities (File: SKILL.md). - Sanitization: No sanitization is mentioned; the skill explicitly directs the agent to follow 'exact field names and types from the search results'.
Audit Metadata