dnsfilter-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary workflow relies on
RUBE_SEARCH_TOOLSto fetch 'recommended execution plans' and schemas from a remote source (rube.app). - Ingestion points: The agent ingests data from
https://rube.app/mcpvia theRUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMAScalls. - Boundary markers: Absent. The instructions tell the agent to 'Always search tools first' and follow the returned plans.
- Capability inventory: The skill possesses high-impact capabilities through
RUBE_MULTI_EXECUTE_TOOL(executing arbitrary tools defined by the remote schema) andRUBE_REMOTE_WORKBENCH(likely shell or code execution environments). - Sanitization: None. The agent is encouraged to use exact field names and types provided by the remote server.
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill requires the user to add
https://rube.app/mcpas a remote MCP server. - Pattern: Remote MCP server configuration.
- Risk: Since
rube.appis not a trusted source, adding it as an MCP server allows the remote endpoint to define and potentially execute logic or commands on the agent's host or within its environment. - [Data Exposure] (MEDIUM): The skill manages
dnsfilterconnections. While it uses a management tool (RUBE_MANAGE_CONNECTIONS), it directs users to a third-party service to complete authentication ('follow the returned auth link'), which could lead to credential harvesting or unauthorized access to DNS security settings if the service is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata