kadoa-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from an external API (RUBE_SEARCH_TOOLS) and immediately use that data to drive high-privilege tool executions (RUBE_MULTI_EXECUTE_TOOL). * Ingestion points: The output of RUBE_SEARCH_TOOLS (tool slugs, schemas, execution plans) is treated as authoritative in SKILL.md. * Boundary markers: Absent. No instructions are provided to the agent to validate or distinguish between the system's goals and potentially malicious instructions returned from the search tool results. * Capability inventory: High-privilege tools including RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH are available to execute instructions derived from the external search content. * Sanitization: Absent. The workflow encourages using exact field names and types from search results without any validation step.
- [External Downloads / Remote Code Execution] (MEDIUM): The skill instructs users to add an unverified third-party MCP server (https://rube.app/mcp) to their configuration. This server acts as a remote source of logic and tool definitions, representing an unverifiable dependency outside of the defined trust scope.
Recommendations
- AI detected serious security threats
Audit Metadata