fillout-forms-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Remote Service Dependency (HIGH): The skill requires connecting to an external MCP server at
https://rube.app/mcp. This domain is not among the trusted sources. This endpoint provides the tool logic, schemas, and execution plans, delegating control to a third party. - Indirect Prompt Injection (HIGH):
- Ingestion points:
RUBE_SEARCH_TOOLSretrieves dynamic tool definitions, schemas, and "recommended execution plans" from the remote server. - Boundary markers: None. The instructions explicitly tell the agent to follow the schemas and plans returned by the remote server.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide the ability to modify data and perform actions within the Fillout forms ecosystem. - Sanitization: No validation or sanitization of the remote-provided schemas or execution plans is performed before they are processed by the agent.
- Dynamic Execution Pattern (MEDIUM): The skill uses
RUBE_REMOTE_WORKBENCHto execute bulk operations. This pattern masks the specific actions being performed, making it difficult for the user to audit the agent's behavior at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata