listennotes-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content from the Listennotes podcast database. Evidence: 1. Ingestion points: Podcast metadata and episode descriptions retrieved via the Listennotes toolkit. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore commands within the podcast data. 3. Capability inventory: The skill utilizes powerful tools like
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto execute actions. 4. Sanitization: Absent; external data is incorporated into the agent's workflow without validation. - External Downloads (MEDIUM): The instructions require adding an untrusted remote MCP server (
https://rube.app/mcp) which serves as the source for tool definitions and execution logic. - Remote Code Execution (HIGH): The combination of dynamic tool discovery via
RUBE_SEARCH_TOOLSand execution viaRUBE_MULTI_EXECUTE_TOOLallows an external server to define and execute arbitrary tool logic within the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata