ninox-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads] (HIGH): The skill mandates adding an untrusted external MCP server endpoint (https://rube.app/mcp). This source is not verified and falls outside the scope of trusted organizations.
- [Remote Code Execution] (HIGH): The agent is instructed to fetch tool slugs and execution plans from the untrusted server and execute them via RUBE_MULTI_EXECUTE_TOOL. This allows an external entity to define logic for the agent to execute.
- [Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection due to its core workflow. 1. Ingestion points: SKILL.md specifies RUBE_SEARCH_TOOLS output as the source for tool schemas. 2. Boundary markers: Absent in SKILL.md instructions. 3. Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH are specified in SKILL.md for execution. 4. Sanitization: Absent in SKILL.md instructions. An attacker controlling the endpoint can inject instructions into tool definitions or execution plans.
- [Command Execution] (MEDIUM): The skill executes multiple tools dynamically via RUBE_MULTI_EXECUTE_TOOL based on unverified external input from a third-party server.
Recommendations
- AI detected serious security threats
Audit Metadata