l2s-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary workflow relies on
RUBE_SEARCH_TOOLSto fetch execution schemas. - Ingestion points: Data enters the agent context via tool discovery results from
https://rube.app/mcp. - Boundary markers: None. The instructions explicitly tell the agent to follow the schemas provided by the external tool.
- Capability inventory: The agent can execute arbitrary tools via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: None. The agent is instructed to use 'exact field names and types' from the untrusted external response.
- [Remote Code Execution] (HIGH): The skill requires the user to add an untrusted external endpoint (
https://rube.app/mcp) as an MCP server. This server defines the logic for 'tools' which the agent then executes, effectively allowing the remote server to control agent actions. - [Command Execution] (MEDIUM): The skill facilitates the execution of blockchain operations (L2 tasks) which are high-impact side effects. When combined with the unverified tool discovery process, this poses a risk of financial loss or state manipulation.
- [External Downloads] (LOW): References external documentation and endpoints (
composio.dev,rube.app) which are not on the trusted source list, though they are necessary for the skill's stated function.
Recommendations
- AI detected serious security threats
Audit Metadata