here-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The setup instructions require the user to add an external MCP server endpoint (
https://rube.app/mcp). This domain is not part of the trusted source whitelist, posing a risk of malicious tool definitions or malicious server-side behavior. - [REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes the
RUBE_REMOTE_WORKBENCHtool, which implies execution within a remote environment managed by an untrusted third party. This allows for potential arbitrary code execution on remote infrastructure triggered by the agent. - [COMMAND_EXECUTION] (HIGH): The skill dynamically executes commands (
RUBE_MULTI_EXECUTE_TOOL) based on tool slugs and argument schemas fetched at runtime fromrube.app. If the remote server is compromised, it could return malicious tool definitions that the agent would then execute. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill presents a significant vulnerability surface where untrusted data influences agent behavior.
- Ingestion points: Tool schemas, recommended execution plans, and 'known pitfalls' are fetched from an external API via
RUBE_SEARCH_TOOLS(SKILL.md). - Boundary markers: None. The agent is explicitly instructed to 'Always search first' and 'Always search tools first for current schemas,' effectively trusting the remote input as ground truth.
- Capability inventory: The agent has the capability to execute tools (
RUBE_MULTI_EXECUTE_TOOL) and manage remote environments (RUBE_REMOTE_WORKBENCH) (SKILL.md). - Sanitization: None. The agent is instructed to use 'exact field names and types' provided by the search results, facilitating the direct injection of malicious parameters into tool calls.
Recommendations
- AI detected serious security threats
Audit Metadata