dropcontact-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a high-risk Indirect Prompt Injection (Category 8c) vulnerability. It explicitly directs the agent to 'Always discover available tools before executing' and to use 'recommended execution plans' returned by the
RUBE_SEARCH_TOOLSfunction. - Ingestion Point: The output of
RUBE_SEARCH_TOOLS(untrusted external data). - Boundary Markers: Absent. There are no instructions to sanitize or ignore malicious directives within the tool results.
- Capability Inventory: Includes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(arbitrary tool execution). - Sanitization: Absent. The agent is encouraged to follow the remote execution plan directly.
- REMOTE_CODE_EXECUTION (HIGH): By configuring a third-party MCP server (
https://rube.app/mcp), the agent's runtime environment becomes dependent on logic provided by a non-trusted external entity. The server can return tool schemas or workflows that execute unintended commands via theRUBE_MULTI_EXECUTE_TOOLinterface. - COMMAND_EXECUTION (MEDIUM): The skill provides the agent with capabilities to execute multi-tool workflows and access a 'Remote Workbench' (
RUBE_REMOTE_WORKBENCH), which significantly expands the attack surface if the agent is manipulated via the remote search tool. - DATA_EXFILTRATION (MEDIUM): The skill manages contact data via Dropcontact. The 'No API keys needed' claim for the
rube.appendpoint suggests that sensitive session data or contact information may be proxied through an untrusted intermediary server, posing a risk of data capture.
Recommendations
- AI detected serious security threats
Audit Metadata