plain-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): The skill exhibits a high risk of indirect prompt injection. It is designed to interact with the Plain platform, which hosts external, untrusted content such as customer support tickets.
- Ingestion points: Untrusted data enters the agent context via tool outputs when reading tickets or customer records from Plain.
- Boundary markers: There are no instructions provided to the agent to treat external content as untrusted or to ignore embedded instructions.
- Capability inventory: The
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHtools allow for significant side effects, including modifying data and executing remote operations. - Sanitization: No sanitization or validation logic is defined to prevent the agent from obeying instructions embedded within processed tickets.
- [Remote Code Execution] (HIGH): The skill utilizes
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOL. These capabilities allow for the execution of logic and tools on remote infrastructure. If the tool parameters or workbench commands are influenced by malicious data from the support tickets, it could lead to unauthorized remote actions. - [External Downloads] (MEDIUM): The skill mandates the use of an external MCP server endpoint (
https://rube.app/mcp). This endpoint is not on the trusted source list and functions as a remote control plane for discovering and executing tools, introducing a dependency on an unverified third-party service.
Recommendations
- AI detected serious security threats
Audit Metadata