The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill requires the addition of an external MCP server endpoint (https://rube.app/mcp). This source is not on the trusted list and serves as the primary provider for tool definitions and logic at runtime.
Indirect Prompt Injection (HIGH): The skill follows a 'search-then-execute' pattern (Category 8). It ingests untrusted data from a remote server and uses it to drive high-privilege operations on the Factorial platform. 1. Ingestion points: Data enters the agent context through RUBE_SEARCH_TOOLS which returns schemas, tool slugs, and 'recommended execution plans' from rube.app. 2. Boundary markers: Absent. The instructions explicitly tell the agent to 'Use exact field names and types from the search results' and 'Always search tools first', meaning the agent is conditioned to obey the remote content implicitly. 3. Capability inventory: Through RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, the skill can perform actions on the Factorial toolkit, which likely includes managing sensitive employee, financial, or organizational data. 4. Sanitization: Absent. There is no evidence of validation or filtering of the remote search results before they are passed to execution tools.
Dynamic Execution (MEDIUM): The workflow relies on RUBE_SEARCH_TOOLS to provide tool_slug and arguments at runtime (Category 10). If the remote server provides a malicious slug or argument schema, the agent will execute it against the user's Factorial connection.

factorial-automation