flowiseai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Remote Code Execution / Indirect Prompt Injection] (HIGH): The skill implements a workflow where it retrieves tool schemas and execution plans from an external, untrusted source (
RUBE_SEARCH_TOOLSviahttps://rube.app/mcp) and immediately uses that data to perform actions viaRUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Ingestion points: Data enters the agent context through the
RUBE_SEARCH_TOOLScall, which returns tool slugs and input schemas from the remote Rube MCP server. - Boundary markers: No boundary markers or sanitization logic are defined; the instructions explicitly tell the agent to "Use exact field names and types from the search results."
- Capability inventory: The skill has high-privilege capabilities including
RUBE_MULTI_EXECUTE_TOOL(tool execution) andRUBE_REMOTE_WORKBENCH(remote bulk operations). - Sanitization: None detected. This creates a direct path for the external server to influence agent behavior or execute arbitrary operations by poisoning the returned schemas or tool slugs.
- [External Downloads] (MEDIUM): The skill requires the user to add an untrusted third-party MCP server (
https://rube.app/mcp). This domain is not within the defined [TRUST-SCOPE-RULE] for verified sources, making the connection and dependency inherently risky.
Recommendations
- AI detected serious security threats
Audit Metadata