leiga-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk vulnerability surface due to the combination of external data ingestion and write/execute capabilities.
- Ingestion points: Data is retrieved from the Leiga platform and the
rube.apptool discovery endpoint. - Boundary markers: Absent. There are no instructions provided to the agent to distinguish between tool metadata and malicious content within Leiga tasks or schemas.
- Capability inventory: Includes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which allow the agent to execute actions with side effects in the Leiga environment. - Sanitization: Absent. The skill does not implement validation or escaping for data retrieved from external tools before processing.
- Unverifiable Dependencies & Remote Execution (HIGH): The skill requires the configuration of an external MCP server at
https://rube.app/mcp. - Untrusted Source:
rube.appis not a verified source according to safety protocols. - Dynamic Execution: The instructions mandate calling
RUBE_SEARCH_TOOLSto fetch schemas and execution plans at runtime rather than hardcoding. This allows the remote server to dynamically alter the agent's behavior or inject malicious tool slugs/arguments. - Data Exposure Risk (MEDIUM): The skill manages authentication via
RUBE_MANAGE_CONNECTIONS. The claim 'No API keys needed' suggests that authentication sessions or tokens are managed on the third-partyrube.appinfrastructure, creating a centralized point of potential credential exposure.
Recommendations
- AI detected serious security threats
Audit Metadata