ngrok-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill exhibits a high-risk surface for Indirect Prompt Injection (Category 8). It explicitly instructs the agent to fetch schemas, recommended execution plans, and pitfalls from an external source (
https://rube.app/mcp) via theRUBE_SEARCH_TOOLScall. This untrusted content is then used to parameterize and execute actions. A compromised or malicious remote server could inject instructions into the 'execution plans' or 'tool descriptions' that the agent would follow, leveraging its permissions to manage network tunnels. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the addition of a remote MCP server (
https://rube.app/mcp) which is not within the trusted repository or organization scope. This server acts as the primary source of logic and capability for the skill, representing a dependency on an unverified third-party endpoint. - [COMMAND_EXECUTION] (MEDIUM): The skill provides the agent with powerful tools to manage Ngrok connections and execute multi-step workflows via
RUBE_MULTI_EXECUTE_TOOL. While these are the intended functions, the combination of high-impact network capabilities with an external, dynamic instruction source elevates the overall risk profile.
Recommendations
- AI detected serious security threats
Audit Metadata