mailcoach-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp). This domain is not among the trusted sources. This allows a remote service to define the tools and logic available to the AI agent. - [COMMAND_EXECUTION] (MEDIUM): The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations. Because tool definitions are fetched dynamically viaRUBE_SEARCH_TOOLSfrom an external server, the actual code or logic executed is not visible in the skill source and is controlled by the service provider. - [DATA_EXFILTRATION] (LOW): Operation of the skill involves sending task-specific data to the
rube.appservice. While intended for Mailcoach automation, users should be aware that data processed by these tools is transmitted to an external third-party infrastructure. - [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface (Category 8).
- Ingestion points: Tool schemas and execution plans returned by
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMAS. - Boundary markers: Absent; instructions do not advise the agent on how to handle potentially malicious instructions embedded in the remote tool metadata.
- Capability inventory: High; the skill can execute multi-step tools and remote workbenches.
- Sanitization: None; the skill relies on the agent to interpret and execute schemas provided by the remote server.
Audit Metadata