cloudflare-browser-rendering-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires connecting to an external MCP server at 'https://rube.app/mcp'. This domain is not within the Trusted External Sources scope and serves as the primary provider for executable tool definitions.
- [REMOTE_CODE_EXECUTION] (HIGH): By dynamically loading tool schemas and 'recommended execution plans' from an untrusted remote source (rube.app) and passing them directly to execution tools like 'RUBE_MULTI_EXECUTE_TOOL', the skill facilitates a form of remote code execution via tool manipulation.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Tool schemas, descriptions, and plans ingested from 'RUBE_SEARCH_TOOLS' (SKILL.md).
- Boundary markers: Absent. The skill provides no instructions for the agent to verify or sanitize the output of the search tool before execution.
- Capability inventory: Significant capabilities including 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' (which allows 'run_composio_tool()').
- Sanitization: Absent. The agent is explicitly told to 'Always search first' and use 'exact field names' from the search results, ensuring any malicious payload in the schema is faithfully executed.
- [COMMAND_EXECUTION] (MEDIUM): The 'RUBE_REMOTE_WORKBENCH' tool permits arbitrary tool execution within the Composio environment, which could be leveraged to perform unauthorized operations if the remote provider returns malicious instructions.
Recommendations
- AI detected serious security threats
Audit Metadata