imagekit-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill relies on fetching dynamic tool schemas and execution plans from an external API (rube.app) which are then processed by the agent to perform write operations. A malicious response from this API could hijack the agent's logic to perform unauthorized Imagekit IO tasks.\n
- Ingestion points: SKILL.md (Tool Discovery section via RUBE_SEARCH_TOOLS)\n
- Boundary markers: Absent; no instructions to ignore embedded commands in tool outputs.\n
- Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH (file write, delete, and transformation capabilities).\n
- Sanitization: Absent; the skill blindly follows discovered schemas.\n- [External Downloads] (MEDIUM): The skill requires connecting to https://rube.app/mcp, an unverified third-party endpoint not listed as a trusted source.\n- [Command Execution] (MEDIUM): The use of RUBE_MULTI_EXECUTE_TOOL allows for remote, non-static execution of logic based on data retrieved at runtime, increasing the risk of unauthorized system operations if the source is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata