news-api-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a significant vulnerability surface by processing external, attacker-controllable data.
- Ingestion points: Untrusted news article content and metadata fetched via the
news_apitoolkit. - Boundary markers: Absent. The instructions do not define delimiters or provide 'ignore embedded instructions' warnings for processed data.
- Capability inventory: The skill provides access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. These allow for broad tool execution and complex operations that could be hijacked by instructions hidden in news articles. - Sanitization: Absent. There is no requirement or mechanism for the agent to sanitize external content before using it to determine subsequent tool calls or workbench logic.
- [External Downloads] (MEDIUM): The skill relies on an external, unverified MCP server endpoint (
https://rube.app/mcp). This introduces a third-party dependency outside of the defined trusted sources, which could be compromised to serve malicious tool schemas or execution plans. - [Command Execution] (MEDIUM): Through the
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLfunctions, the skill permits the agent to execute a wide array of tools dynamically. When combined with the lack of sanitization for ingested news data, this creates a path for unintended command execution driven by external content.
Recommendations
- AI detected serious security threats
Audit Metadata