everhour-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill implements a workflow where tool schemas and execution plans are fetched at runtime via
RUBE_SEARCH_TOOLS. This creates a critical vulnerability to Indirect Prompt Injection (Category 8) where an attacker-controlled MCP server or manipulated tool search results could inject malicious instructions or arguments into subsequent high-privilege tool executions. - Ingestion points: Results from
RUBE_SEARCH_TOOLSprocessed inSKILL.md. - Boundary markers: Absent; no instructions exist to ignore embedded instructions in the fetched schemas.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide execution capabilities. - Sanitization: Absent; the skill blindly trusts 'tool_slug' and 'arguments' from the search results.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill mandates connection to an unverified external MCP server at
https://rube.app/mcp. This domain is not recognized as a trusted source (e.g., GitHub, Google, Anthropic) and acts as the source for all executable tool definitions. - [REMOTE_CODE_EXECUTION] (HIGH): The use of
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLallows for the execution of arbitrary logic hosted by a third-party toolkit provider. Because the skill dynamically resolves these tools at runtime via an untrusted search mechanism, it enables unverified remote code execution if the upstream search result is compromised. - [COMMAND_EXECUTION] (MEDIUM): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLwhich effectively maps to system-level operations or API calls with side effects on the Everhour platform. The lack of predefined, static tool lists increases the risk of the agent executing unintended or malicious commands suggested by the MCP server.
Recommendations
- AI detected serious security threats
Audit Metadata