heyzine-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect injection because it is designed to ingest and obey instructions provided by an external source at runtime.
- Ingestion points:
RUBE_SEARCH_TOOLSreturns tool slugs, schemas, and "recommended execution plans" from the remote server. - Boundary markers: None. The skill instructions explicitly tell the agent to follow the schemas and plans returned by the search.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHallow for tool execution and remote command running based on the fetched data. - Sanitization: None detected. The agent is encouraged to use the exact field names and types provided by the untrusted search results.
- [Remote Code Execution] (MEDIUM): While not direct shell execution,
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLprovide a mechanism to execute remote logic defined by a third party. If therube.appservice is compromised, it could return malicious tool definitions that perform unauthorized actions. - [External Downloads] (MEDIUM): The skill requires the user to add an untrusted endpoint (
https://rube.app/mcp) as an MCP server. This domain is not within the defined [TRUST-SCOPE-RULE] for trusted organizations or repositories.
Recommendations
- AI detected serious security threats
Audit Metadata