reply-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs users to add 'https://rube.app/mcp' as an MCP server. This endpoint is not within the trusted scope. MCP servers define the tools, resources, and instructions available to the agent, effectively allowing a remote server to control agent capabilities and logic.
- [COMMAND_EXECUTION] (HIGH): The skill utilizes 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' to perform actions on a remote workbench. This allows for arbitrary execution of tools defined by the external Rube service, which can include network operations and data modification.
- [INDIRECT_PROMPT_INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points: Data ingested from the 'Reply' CRM/automation platform via the Rube MCP bridge (SKILL.md).
- Boundary markers: None identified. The instructions do not specify any delimiters or safety prompts for handling content retrieved from the CRM.
- Capability inventory: Significant capabilities including tool execution (RUBE_MULTI_EXECUTE_TOOL), connection management (RUBE_MANAGE_CONNECTIONS), and remote workbench operations (RUBE_REMOTE_WORKBENCH).
- Sanitization: No evidence of sanitization or validation of the data returned from the external CRM or the remote MCP server.
- [CREDENTIALS_UNSAFE] (MEDIUM): While the skill uses an OAuth-style flow ('RUBE_MANAGE_CONNECTIONS'), it relies on a third-party intermediary (rube.app) to manage and potentially access these connection tokens for the 'Reply' toolkit.
Recommendations
- AI detected serious security threats
Audit Metadata