reply-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the user to add an untrusted external MCP server endpoint (https://rube.app/mcp) to their configuration, which is not among the verified trusted sources.
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8) due to the processing of external tool schemas and recommended execution plans. 1. Ingestion points: Tool schemas and execution plans returned by the RUBE_SEARCH_TOOLS command. 2. Boundary markers: Absent; the skill directs the agent to follow the search results implicitly. 3. Capability inventory: The skill uses RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to perform actions based on those results. 4. Sanitization: Absent; no instructions are provided to validate or filter the remote plans.
- [REMOTE_CODE_EXECUTION] (HIGH): By instructing the agent to execute 'recommended execution plans' provided by an untrusted remote MCP server via RUBE_MULTI_EXECUTE_TOOL, the skill effectively enables remote control over the agent's actions within the connected toolkit environment.
Recommendations
- AI detected serious security threats
Audit Metadata