daffy-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill relies on RUBE_SEARCH_TOOLS to fetch execution plans and schemas from a remote server, creating a high-risk surface for instruction injection. Ingestion points: tool schemas and 'recommended execution plans' from RUBE_SEARCH_TOOLS response. Boundary markers: Absent; instructions explicitly command the agent to 'Always search tools first' and follow returned results. Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow the agent to perform financial actions and execute code/tools. Sanitization: Absent; no validation or filtering of the remote content is mentioned.
- [Data Exposure & Exfiltration] (MEDIUM): All interactions with the Daffy donor-advised fund are routed through the rube.app MCP endpoint. This non-whitelisted third-party service can observe sensitive financial data and authentication session details.
- [Command Execution] (MEDIUM): The skill uses RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL to perform operations defined by the external MCP server, allowing for the execution of arbitrary tools defined at runtime by the remote service.
Recommendations
- AI detected serious security threats
Audit Metadata