firmao-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill requires the user to add 'https://rube.app/mcp' as an MCP server in their client configuration. This domain is not among the defined trusted sources, and the endpoint provides the executable logic for the agent's tools.
- REMOTE_CODE_EXECUTION (HIGH): The skill's core functionality relies on 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' to execute operations defined by the remote server. This allows for the execution of arbitrary logic controlled by an external third party.
- PROMPT_INJECTION (HIGH): Identified as Category 8 (Indirect Prompt Injection). The skill instructs the agent to blindly follow schemas and execution plans returned by 'RUBE_SEARCH_TOOLS' at runtime.
- Ingestion points: Tool schemas and execution plans returned from the Rube MCP server via 'RUBE_SEARCH_TOOLS' (SKILL.md).
- Boundary markers: Absent; the instructions explicitly tell the agent to use the returned fields and types directly.
- Capability inventory: Write and execute operations through 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' (SKILL.md).
- Sanitization: Absent; the instructions emphasize strict compliance with the external schema provided at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata