docsumo-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill mandates connection to a remote MCP endpoint (
https://rube.app/mcp) which is not on the trusted sources list. All tool logic and schemas are fetched from this unverified external domain. - [REMOTE_CODE_EXECUTION] (HIGH): The pattern of calling
RUBE_SEARCH_TOOLSto get 'current schemas' and then executing them viaRUBE_MULTI_EXECUTE_TOOLorRUBE_REMOTE_WORKBENCHeffectively allows the remote server to execute arbitrary logic on the agent's environment. The agent is instructed to trust the server's output as the authoritative schema. - [COMMAND_EXECUTION] (HIGH): The
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHcapabilities allow for the execution of complex workflows (bulk operations) that are defined at runtime by the remote server, bypassing static review of the skill's actual capabilities. - [PROMPT_INJECTION] (HIGH): The instruction 'Always search tools first for current schemas' creates a massive surface for Indirect Prompt Injection (Category 8). If the remote server or the data it processes (from Docsumo) contains malicious instructions within the schemas or search results, the agent is primed to follow them, as it is told to never hardcode and always trust the search results.
Recommendations
- AI detected serious security threats
Audit Metadata