entelligence-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters via
RUBE_SEARCH_TOOLSwhich provides tool slugs, input schemas, and 'recommended execution plans' fromrube.app(SKILL.md). - Boundary markers: There are no delimiters or instructions to ignore embedded commands within the returned schemas or plans.
- Capability inventory: The skill possesses high-impact capabilities including
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(SKILL.md). - Sanitization: No sanitization or validation of the fetched schemas or plans is mentioned before the agent acts upon them.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill references
RUBE_REMOTE_WORKBENCHandrun_composio_tool(), which are designed for executing code and complex tools in a remote environment. This represents a significant security risk if the remote environment or the instructions provided to it are compromised. - [EXTERNAL_DOWNLOADS] (MEDIUM): The setup requires connecting to a third-party MCP server at
https://rube.app/mcp. This domain is not within the defined trusted source scope, meaning the integrity of the tools provided cannot be verified by the analyzer. - [COMMAND_EXECUTION] (HIGH): The core functionality relies on
RUBE_MULTI_EXECUTE_TOOL, which allows for the execution of arbitrary tools identified through dynamic discovery, bypassing static review of what the agent might actually perform at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata