leverly-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The workflow requires the agent to call
RUBE_SEARCH_TOOLSand use the resulting schemas and plans to perform actions. This allows a compromised or malicious MCP server to inject instructions that the agent is explicitly told to follow. Evidence Chain: 1. Ingestion points: Data returned fromRUBE_SEARCH_TOOLS. 2. Boundary markers: Absent; the instructions tell the agent to 'Always search tools first' and use 'exact field names'. 3. Capability inventory:RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHallow for data modification and tool execution. 4. Sanitization: Absent; no validation is performed on the schemas or plans returned from the remote server. - [External Downloads] (HIGH): The skill directs users to add
https://rube.app/mcpas an MCP server. This endpoint is not part of the trusted provider list, making the agent's logic dependent on an unverified external source. - [Command Execution] (MEDIUM): Use of
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHfacilitates the execution of remote operations based on dynamically retrieved schemas, which can be manipulated to perform unauthorized actions.
Recommendations
- AI detected serious security threats
Audit Metadata