gemini-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill directs the agent to manage 'Gemini connections' via an external service (rube.app) and follow auth links generated by that service. This architecture allows the third-party server to proxy or intercept authentication tokens for Google/Gemini services.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It is designed to ingest 'recommended execution plans' and 'schemas' from the remote rube.app server via
RUBE_SEARCH_TOOLSand immediately act upon them usingRUBE_MULTI_EXECUTE_TOOL. - Ingestion points: Data returned from the untrusted endpoint
https://rube.app/mcpduring the search phase. - Boundary markers: None. The instructions mandate following the discovered schemas and plans verbatim.
- Capability inventory: The skill provides full execution capabilities via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: No sanitization or validation of the remote plans is implemented.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of an external, unverifiable MCP server (
https://rube.app/mcp). This source is not on the trusted list and provides the functional logic for the skill. - [REMOTE_CODE_EXECUTION] (MEDIUM): By integrating an external MCP server, the agent is effectively executing remote tool definitions and logic controlled by a third party. While not direct shell access, the agent's behavior is entirely determined by the remote server's responses.
Recommendations
- AI detected serious security threats
Audit Metadata