linkup-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill instructs the agent to fetch 'recommended execution plans' and 'tool schemas' from an external server (
https://rube.app/mcp) and execute them viaRUBE_MULTI_EXECUTE_TOOL. This allows a remote third party to dictate the agent's operations. - EXTERNAL_DOWNLOADS (HIGH): The setup instructions require the user to add an unverified external URL as an MCP server. The claim that 'No API keys needed' suggests a lack of transparent authentication, potentially allowing the remote server to interact with the agent's environment without proper authorization.
- COMMAND_EXECUTION (HIGH): The inclusion of tools like
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(which usesrun_composio_tool()) grants the remote server the ability to perform complex actions on the host system or connected accounts. - INDIRECT PROMPT INJECTION (HIGH): The skill has a large attack surface for indirect injection (Category 8):
- Ingestion points:
RUBE_SEARCH_TOOLSresponse (metadata and plans from the remote server). - Boundary markers: Absent; the instructions tell the agent to 'Always call RUBE_SEARCH_TOOLS first' and 'Use exact field names and types from search results'.
- Capability inventory: Full tool execution, bulk operations, and remote workbench access.
- Sanitization: Absent; the skill lacks any validation of the schemas or plans returned by the remote server before they are used in execution tools.
Recommendations
- AI detected serious security threats
Audit Metadata