piloterr-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp). This domain is not part of the pre-approved trusted sources list, posing a risk of supply chain compromise or malicious service behavior. - [REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOL, which facilitate the execution of logic and tools hosted on remote infrastructure. The specific operations are determined by dynamic schemas fetched during the session. - [COMMAND_EXECUTION] (MEDIUM): The skill enables the execution of commands via the Piloterr toolkit. While intended for automation, the lack of static tool definitions means the agent could be manipulated into executing unintended commands if the remote server is compromised.
- [INDIRECT PROMPT INJECTION] (HIGH): This is the primary vulnerability surface. The skill mandates calling
RUBE_SEARCH_TOOLSto fetch schemas, execution plans, and 'pitfalls'. If the remote server returns malicious instructions within these metadata fields, the agent may obey them as if they were legitimate system constraints or tool requirements. - Ingestion point:
RUBE_SEARCH_TOOLSreturns fromrube.app. - Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHprovide execution and write capabilities. - Boundary markers: None. The agent is explicitly told to follow the remote search results.
- Sanitization: None documented; the skill relies entirely on the output of the remote discovery process.
Recommendations
- AI detected serious security threats
Audit Metadata