helcim-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [External Downloads] (HIGH): The skill requires the configuration of an untrusted external MCP server at
https://rube.app/mcp. This domain is not within the trusted whitelist and serves as an unverified intermediary for all agent-to-Helcim communications. - [Data Exfiltration] (HIGH): By design, the skill sends sensitive financial and payment data from Helcim through the
rube.appproxy. The 'no API keys needed' setup instruction is a security red flag, as it implies the proxy manages authentication in a non-transparent manner. - [Indirect Prompt Injection] (HIGH): The skill creates a high-severity vulnerability surface for indirect prompt injection.
- Ingestion points: Data is ingested from Helcim and the Rube search tool schemas via
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMAS. - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the core workflow prompts.
- Capability inventory: The skill has high-privilege write capabilities via
RUBE_MULTI_EXECUTE_TOOL, which can execute financial transactions, andRUBE_REMOTE_WORKBENCH, which suggests remote environment access. - Sanitization: No evidence of input validation or output sanitization before data is passed to execution tools.
- [Command Execution] (MEDIUM): The use of
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHfacilitates the execution of complex workflows and potential scripts in a remote environment based on dynamically retrieved, untrusted schemas.
Recommendations
- AI detected serious security threats
Audit Metadata