digital-ocean-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): High vulnerability to Indirect Prompt Injection (Category 8). The skill instructions mandate that the agent 'Always search tools first' and use the 'recommended execution plans' and schemas provided by the remote server. 1. Ingestion points: RUBE_SEARCH_TOOLS response (referenced in SKILL.md). 2. Boundary markers: Absent; no instructions to ignore embedded commands in the search results. 3. Capability inventory: RUBE_MULTI_EXECUTE_TOOL (allowing droplet deletion, firewall modification, etc.). 4. Sanitization: Absent. A malicious response from the remote server could inject commands to destroy infrastructure.
- COMMAND_EXECUTION (HIGH): The skill grants the agent the capability to manage cloud resources through RUBE_MULTI_EXECUTE_TOOL. When these commands are derived from untrusted external discovery results, it presents a high risk of unauthorized infrastructure changes.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill depends on a non-whitelisted third-party MCP endpoint (https://rube.app/mcp). While not a direct script download, this endpoint controls the logic and tool definitions the agent uses, creating a supply-chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata