encodian-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill implements a workflow where the agent must fetch tool schemas and "recommended execution plans" from a remote, untrusted source (
rube.app) viaRUBE_SEARCH_TOOLS. - Ingestion points: Untrusted data enters the agent context through the results of
RUBE_SEARCH_TOOLS(file: SKILL.md). - Boundary markers: Absent. The instructions explicitly command the agent to follow the remote results ("Always search tools first", "Use exact field names and types from search results").
- Capability inventory: The agent has access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which provide powerful execution environments. - Sanitization: Absent. There is no validation or filtering of the schema or plans returned by the remote server.
- [Remote Code Execution] (HIGH): While technically calling tools, the orchestration of
RUBE_MULTI_EXECUTE_TOOLbased on dynamically fetched "execution plans" from an untrusted server constitutes a form of remote-controlled action execution. If the remote server is compromised, it can instruct the agent to perform any action available to the toolkit. - [External Downloads] (MEDIUM): The setup instructions require the user to add an untrusted external endpoint (
https://rube.app/mcp) to their client configuration. This source is not on the trusted provider list and maintains control over the agent's tool definitions. - [Command Execution] (MEDIUM): The
RUBE_REMOTE_WORKBENCHtool withrun_composio_tool()suggests a capability for executing complex logic or bulk operations in a remote environment, increasing the blast radius of a potential injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata