kickbox-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's architecture is vulnerable to indirect prompt injection by design.
- Ingestion points: The agent fetches tool schemas, input field names, and "recommended execution plans" from the external
RUBE_SEARCH_TOOLSendpoint. - Boundary markers: Absent. The instructions command the agent to "Always search tools first" and "Use exact field names and types from the search results," effectively ceding control of its logic to the external server.
- Capability inventory: The skill has access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which allow for arbitrary tool execution and code-like operations based on the untrusted input. - Sanitization: No sanitization or validation of the fetched execution plans or schemas is performed.
- Unverified External Dependency (MEDIUM): The skill forces dependency on an unverified third-party MCP server (
https://rube.app/mcp). This source is not recognized as a trusted provider, and since the skill logic is hosted remotely, it can be changed to malicious behavior at any time without updating the skill file.
Recommendations
- AI detected serious security threats
Audit Metadata