demio-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires adding an untrusted remote MCP endpoint (https://rube.app/mcp). This source is not within the defined trust scope and has the authority to define the tools available to the agent.\n- [REMOTE_CODE_EXECUTION] (HIGH): Tools and 'recommended execution plans' are fetched dynamically from the remote MCP server. This allows the untrusted server to execute logic and steer agent tasks via these plans.\n- [PROMPT_INJECTION] (HIGH): High vulnerability to Indirect Prompt Injection (Category 8) due to the lack of sanitization of external tool definitions.\n
- Ingestion points: Tool schemas and 'execution plans' returned by RUBE_SEARCH_TOOLS from the remote server.\n
- Boundary markers: Absent; the instructions tell the agent to follow the returned execution plans directly.\n
- Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, which allow for state-changing operations and bulk processing.\n
- Sanitization: None; the skill does not verify or sanitize instructions or schemas provided by the remote endpoint.\n- [DATA_EXFILTRATION] (MEDIUM): The skill manages Demio connections involving sensitive webinar and user data. Routing all interactions through an untrusted intermediary server (rube.app) increases the risk of data interception or unauthorized access.
Recommendations
- AI detected serious security threats
Audit Metadata