datagma-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs users to add an external MCP server endpoint (https://rube.app/mcp) that is not on the trusted source list. This endpoint controls the tool definitions and instructions the agent receives.
- [REMOTE_CODE_EXECUTION] (HIGH): The primary function involves executing remote tools via RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH based on schemas retrieved at runtime from an external source.
- [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection vulnerability. (1) Ingestion points: Tool schemas, input requirements, and execution plans are fetched from the RUBE_SEARCH_TOOLS endpoint in SKILL.md. (2) Boundary markers: None are specified to protect the agent from malicious instructions inside the schema. (3) Capability inventory: High-privilege execution capabilities via RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH. (4) Sanitization: None; the agent is told to follow the search results exactly.
- [COMMAND_EXECUTION] (MEDIUM): The inclusion of RUBE_REMOTE_WORKBENCH suggests the ability to run code or scripts in a remote environment, escalating the potential impact of an injection.
Recommendations
- AI detected serious security threats
Audit Metadata