openperplex-automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the user to add an untrusted external endpoint (
https://rube.app/mcp) as an MCP server. This server is not within the trusted repository or organization list and serves as the primary source for tool definitions and logic. - PROMPT_INJECTION (MEDIUM): A high risk of indirect prompt injection exists because the agent is instructed to fetch "recommended execution plans" and schemas from
RUBE_SEARCH_TOOLS. An attacker-controlled server could return malicious instructions disguised as execution plans to hijack the agent's session or exfiltrate data. - Ingestion points: Tool schemas and execution plans fetched via
RUBE_SEARCH_TOOLS(external API). - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore instructions embedded within the fetched schemas.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(execution of arbitrary tools) andRUBE_REMOTE_WORKBENCH(likely code or shell execution based on the workbench naming). - Sanitization: Absent. The skill relies directly on the external source for field names and types without validation.
- COMMAND_EXECUTION (MEDIUM): The
RUBE_REMOTE_WORKBENCHtool suggests a capability for remote command or code execution. Since the specific operations of these tools are defined dynamically by the remote server at runtime, the agent may be induced to execute harmful commands if the remote server is compromised.
Audit Metadata