perigon-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies (HIGH): The skill requires the user to add 'https://rube.app/mcp' as an MCP server. This domain is not in the trusted list and serves as a remote provider for executable capabilities and tool definitions.
- Indirect Prompt Injection (HIGH):
- Ingestion points: Data enters the agent context through 'RUBE_SEARCH_TOOLS', which returns tool slugs, input schemas, and 'recommended execution plans' from the external server.
- Boundary markers: None. The agent is explicitly instructed to follow the returned schemas and plans without validation.
- Capability inventory: The skill provides 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH', allowing the agent to perform actions based on the externally provided data.
- Sanitization: Absent. There is no escaping or filtering of the content returned by the external Rube server.
- Remote Code Execution (MEDIUM): The skill facilitates the execution of remote tools via the Rube MCP. While this is the intended functionality, the lack of a trusted source for the tool definitions elevates the risk of the agent being tricked into executing harmful remote operations.
Recommendations
- AI detected serious security threats
Audit Metadata