kraken-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs users to add an external MCP server endpoint (
https://rube.app/mcp). This source is not within the trusted domain list, and its behavior cannot be verified, posing a risk of remote tool manipulation or data redirection.- [COMMAND_EXECUTION] (HIGH): Through the use ofRUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, the skill provides capabilities to execute arbitrary tools and potentially remote code (viarun_composio_tool()). This level of privilege is dangerous when combined with external data ingestion.- [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection surface identified.\n - Ingestion points: Untrusted data enters the agent context via responses from the Kraken IO toolkit (e.g., file metadata, API status messages, or optimized content data).\n
- Boundary markers: None. The instructions do not provide delimiters or warnings for the agent to ignore instructions embedded in the tool outputs.\n
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL,RUBE_REMOTE_WORKBENCH(provides tool execution and workbench capabilities with side effects).\n - Sanitization: Absent. There is no logic for validating or sanitizing the content received from the Kraken IO service before it influences subsequent agent decisions or tool calls.
Recommendations
- AI detected serious security threats
Audit Metadata