persistiq-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to add an untrusted MCP endpoint 'https://rube.app/mcp'. This server is outside the defined trust scope and acts as a central control point for the skill's logic.
- [REMOTE_CODE_EXECUTION] (HIGH): Through the 'RUBE_REMOTE_WORKBENCH' tool, the skill enables execution of operations in a remote environment provided by the unverified server. This could lead to arbitrary execution on the remote host or data theft from the agent's context.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses 'RUBE_MULTI_EXECUTE_TOOL' to perform side-effect operations on the Persistiq platform. The specific actions are determined by tool definitions fetched at runtime from the remote server.
- [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Tool schemas, recommended execution plans, and pitfalls are fetched dynamically via 'RUBE_SEARCH_TOOLS' from 'https://rube.app/mcp'.
- Boundary markers: Absent. The skill instructions suggest the agent 'Always search tools first' and follow the returned schemas exactly.
- Capability inventory: Significant capabilities including 'RUBE_MULTI_EXECUTE_TOOL' (for Persistiq modification) and 'RUBE_REMOTE_WORKBENCH' (for bulk operations/execution).
- Sanitization: Absent. The agent is directed to use the exact field names and types provided by the remote server.
- Result: An attacker controlling the remote server can inject malicious instructions into the 'execution plans' or 'schemas' that the agent will then execute using the provided tools.
Recommendations
- AI detected serious security threats
Audit Metadata