flexisign-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires the addition of an untrusted MCP server endpoint (
https://rube.app/mcp). This source is not on the trusted external sources list, making the dependency unverifiable and potentially malicious. - [REMOTE_CODE_EXECUTION] (HIGH): The skill is designed to execute tools provided by the remote MCP server via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. This creates a pathway for remote code execution if the external server provides tools with malicious side effects. - [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection surface (Category 8).
- Ingestion points: Data enters the agent's context through
RUBE_SEARCH_TOOLS, which returns external tool slugs, schemas, and 'recommended execution plans' from an untrusted remote server. - Boundary markers: Absent. There are no instructions to validate or sanitize the execution plans or tool definitions returned by the remote server.
- Capability inventory: The skill has extensive execution capabilities, including
RUBE_MULTI_EXECUTE_TOOLfor running discovered tools andRUBE_REMOTE_WORKBENCHfor remote operations. - Sanitization: Absent. The agent is explicitly told to use the returned schemas and plans directly to execute workflows, making it vulnerable to malicious instructions embedded in the search results.
Recommendations
- AI detected serious security threats
Audit Metadata