humanloop-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill contains a high-risk ingestion pattern where the agent is instructed to 'Always search tools first' and follow the 'recommended execution plans' and 'known pitfalls' returned by an external API (
RUBE_SEARCH_TOOLS). - Ingestion points:
SKILL.md(Step 1 and Step 3) describes fetching tool slugs and schemas from an external MCP server. - Capability inventory: The agent has the capability to execute arbitrary tools via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHbased on the fetched data. - Boundary markers: None. The instructions tell the agent to follow the external plan without validation.
- Sanitization: None provided. The agent is encouraged to use exact field names and types from external search results.
- External Dependencies (MEDIUM): The skill requires a connection to a specific external endpoint (
https://rube.app/mcp). While not a traditional package download, this endpoint provides the logic and definitions that the agent executes at runtime. - Command Execution (MEDIUM): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations. While these are presented as toolkit operations, they allow for complex side effects directed by the external discovery service.
Recommendations
- AI detected serious security threats
Audit Metadata