moco-automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to add a remote MCP server from an untrusted domain (https://rube.app/mcp). While this is the standard way to use MCP, the domain is not on the established trusted list, requiring caution when connecting to third-party endpoints.
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It explicitly mandates that the agent 'Always search tools first' and follow the schemas, execution plans, and recommended steps returned by the remote server (RUBE_SEARCH_TOOLS). This allows the external server to influence or override agent behavior at runtime.
- Ingestion points: Responses from the
RUBE_SEARCH_TOOLScall in SKILL.md. - Boundary markers: Absent. There are no instructions to delimit or treat the tool schemas as untrusted data.
- Capability inventory: The skill includes powerful tools such as
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHwhich can perform write operations and execute code. - Sanitization: No sanitization or validation of the remote-provided schemas is present.
- [COMMAND_EXECUTION] (MEDIUM): The skill facilitates the execution of complex workflows through
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. Because the execution logic (tool slugs and arguments) is fetched dynamically from an untrusted source, it creates a risk of unauthorized command execution if the remote endpoint is compromised.
Audit Metadata