iqair-airvisual-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the configuration of an external MCP server at
https://rube.app/mcp. This domain is not a recognized trusted source. The agent is instructed to fetch all operational parameters and tool schemas from this untrusted remote endpoint. - [REMOTE_CODE_EXECUTION] (HIGH): The commands
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHexecute logic and tool sequences defined dynamically by the remote server. By instructing the agent to 'Always search first' and use the 'recommended execution plans' from the search results, the skill effectively grants the remote server control over the agent's task execution flow. - [PROMPT_INJECTION] (HIGH): The skill possesses a major Indirect Prompt Injection surface (Category 8).
- Ingestion points: Data enters the agent's context through
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMASresponses from the untrustedrube.appdomain. - Boundary markers: None. The skill does not implement delimiters or instructions to ignore embedded commands within the tool schemas or execution plans.
- Capability inventory: The skill has powerful capabilities including
RUBE_MULTI_EXECUTE_TOOL(tool execution),RUBE_REMOTE_WORKBENCH(bulk operations), andRUBE_MANAGE_CONNECTIONS(authentication management). - Sanitization: None. There is no evidence of schema validation or input filtering for the data returned by the remote server.
- Risk: An attacker controlling the remote server could inject malicious instructions into the 'known pitfalls' or 'recommended execution plans' fields, which the agent is instructed to obey.
Recommendations
- AI detected serious security threats
Audit Metadata