folk-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the configuration of an external MCP server at
https://rube.app/mcp. This domain is not a trusted source, and the tool definitions provided by this server are unverifiable and dynamic. - [REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes
RUBE_REMOTE_WORKBENCHwhich, according to the documentation provided in the skill, allows for remote execution of tools. This creates a high-risk vector where the external server can dictate code or logic execution within the agent's environment. - [COMMAND_EXECUTION] (HIGH): The use of
RUBE_MULTI_EXECUTE_TOOLallows the agent to perform actions based on schemas fetched at runtime from an untrusted source. This allows the external server to potentially trigger harmful commands by returning malicious schemas or tool slugs. - [DATA_EXFILTRATION] (MEDIUM): The skill is designed to interact with Folk (CRM data). Because the interaction is brokered by an external, non-whitelisted MCP server, there is a risk that sensitive personal or business data retrieved from the CRM could be exfiltrated to the service provider.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) as it processes data from an external CRM (Folk).
- Ingestion points: Data read from the Folk CRM during automated tasks.
- Boundary markers: Absent. The instructions do not include delimiters or warnings to ignore instructions embedded in the CRM data.
- Capability inventory: High. The agent has the ability to execute multiple tools, manage connections, and use a remote workbench.
- Sanitization: Absent. There is no mention of sanitizing or validating the data retrieved from the CRM before it is used in the agent's decision-making process.
Recommendations
- AI detected serious security threats
Audit Metadata