kaleido-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill requires the agent to call
RUBE_SEARCH_TOOLSto retrieve 'recommended execution plans' and tool schemas from a remote server (https://rube.app/mcp). This creates a critical vulnerability where a compromised or malicious remote server can inject instructions that the agent is explicitly told to follow, potentially leading to unauthorized operations within the Kaleido environment. - Ingestion point: Tool discovery via
RUBE_SEARCH_TOOLSresponse (SKILL.md). - Boundary markers: Absent; the agent is instructed to use exact results.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide broad execution capabilities (SKILL.md). - Sanitization: Absent; no validation of the remote execution plan is performed.
- [Remote Code Execution] (HIGH): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto execute tools and logic defined at runtime by the external server. This pattern effectively allows a third-party service to execute code or complex sequences of operations on the user's infrastructure via the agent. - [External Downloads] (MEDIUM): The setup requires configuring an external MCP server endpoint (
https://rube.app/mcp). This endpoint is not within the defined trusted sources and serves as the primary source of the skill's executable logic.
Recommendations
- AI detected serious security threats
Audit Metadata