The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core workflow requires calling RUBE_SEARCH_TOOLS to fetch schemas and 'recommended execution plans'. Since these instructions are fetched from an external, untrusted source (rube.app) and processed by the agent to determine its next steps, an attacker controlling the remote server could inject malicious instructions into the execution plan.
Ingestion points: Output from RUBE_SEARCH_TOOLS in SKILL.md.
Boundary markers: None identified; the agent is told to 'Always search tools first' and follow returned results.
Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH provide the ability to execute operations on Mezmo (log data) and potentially arbitrary code on a remote workbench.
Sanitization: None; the skill relies entirely on the correctness of the remote response.
Remote Code/Tool Execution (HIGH): The skill utilizes RUBE_REMOTE_WORKBENCH and RUBE_MULTI_EXECUTE_TOOL. These tools allow for the execution of logic defined by the remote MCP server. Without a trusted relationship with the provider (rube.app), this constitutes an unverified remote execution surface.
External Downloads/Dependencies (MEDIUM): The skill mandates adding https://rube.app/mcp as an MCP server. This domain is not on the trusted sources list. While it provides functionality, it introduces a dependency on an unverified third-party infrastructure.

mezmo-automation