pilvio-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill instructions mandate that the agent fetch and follow 'recommended execution plans' and tool schemas from a remote source (https://rube.app/mcp). This exposes the agent to adversarial instructions embedded in tool metadata.
- Ingestion points: Output of RUBE_SEARCH_TOOLS in SKILL.md.
- Boundary markers: Absent; instructions tell the agent to follow the schemas and plans exactly.
- Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH allow full lifecycle management of Pilvio cloud resources.
- Sanitization: Absent; no validation or filtering of external tool schemas is performed.
- [Remote Code Execution] (HIGH): By delegating tool definition and workflow logic to a remote MCP endpoint, the skill effectively allows the remote server to dictate the agent's behavior and execute arbitrary tool-based operations.
- [External Downloads] (MEDIUM): The skill setup requires connecting to an unverified third-party endpoint (https://rube.app/mcp) which is not within the defined trust scope. This creates a dependency on an untrusted external authority for core skill functionality.
Recommendations
- AI detected serious security threats
Audit Metadata