The Agent Skills Directory

[Remote Code Execution / Indirect Prompt Injection] (HIGH): The skill implements a 'blind trust' pattern by mandating that the agent use RUBE_SEARCH_TOOLS to discover tool slugs, schemas, and execution plans at runtime. Because the agent is instructed to 'Always search tools first' and use 'exact field names and types from the search results,' an attacker controlling the remote MCP server could inject malicious commands or instructions into these schemas which the agent would then execute via RUBE_MULTI_EXECUTE_TOOL or RUBE_REMOTE_WORKBENCH.
Ingestion points: RUBE_SEARCH_TOOLS response (external/untrusted data).
Boundary markers: None present; the agent is explicitly told to follow the remote response exactly.
Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow for arbitrary execution of tools discovered via the remote endpoint.
Sanitization: None described; the workflow relies entirely on remote schemas.
[External Downloads] (MEDIUM): The skill requires the user to add an external, unverified MCP server https://rube.app/mcp. This server is not on the trusted list and serves as the primary control point for all skill actions.
[Metadata Poisoning] (LOW): The setup instructions claim 'No API keys needed — just add the endpoint and it works.' This is misleading for a service that automates third-party platforms (Gagelist), potentially obscuring the true authentication or data access model used by the Rube proxy.

gagelist-automation