dailybot-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Download/Remote Code Execution] (HIGH): The skill instructs the user to add
https://rube.app/mcpas an MCP server. This domain is not within the trusted repository or organization list. Since MCP servers define the executable tools and logic available to the agent, this grants an untrusted third party significant control over the agent's runtime environment. - [Indirect Prompt Injection] (HIGH): The skill is designed to automate Dailybot tasks, which involves reading external data (messages, standups) that may contain malicious instructions.
- Ingestion points: Data returned from Dailybot via Rube MCP tools.
- Boundary markers: Absent; there are no instructions to use delimiters or ignore instructions embedded in the processed data.
- Capability inventory: The presence of
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovides high-privilege write and execution capabilities. - Sanitization: Absent; no mention of validating or escaping content before it is passed to tool arguments.
- [Dynamic Execution] (MEDIUM): The skill relies on
RUBE_SEARCH_TOOLSto fetch schemas at runtime, which are then used to build tool calls inRUBE_MULTI_EXECUTE_TOOL. This dynamic discovery of execution schemas from an untrusted source increases the risk of the agent being manipulated into executing unintended commands. - [Credential Exposure] (MEDIUM): The setup involves
RUBE_MANAGE_CONNECTIONSwhich directs users to an external authentication link on the untrustedrube.appdomain, potentially exposing service tokens or sensitive connection metadata.
Recommendations
- AI detected serious security threats
Audit Metadata