revolt-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill directs the user to add an external MCP server (
https://rube.app/mcp) which is not part of the trusted organization list. This server controls the tool definitions available to the agent. - [Indirect Prompt Injection] (HIGH): The skill establishes a high-risk execution pattern where the agent is instructed to 'Always search tools first' and follow 'recommended execution plans' provided by the remote server.
- Ingestion points:
RUBE_SEARCH_TOOLSfetches dynamic schemas, plans, and pitfalls fromrube.app(SKILL.md). - Boundary markers: None. There are no instructions to sanitize or ignore embedded natural language commands within the fetched schemas.
- Capability inventory: Includes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, providing the agent with write/execute capabilities on the Revolt platform. - Sanitization: None. The agent is explicitly told to use the exact field names and logic returned by the external API.
- [Remote Code Execution] (HIGH): The use of
RUBE_REMOTE_WORKBENCHallows for remote command execution or tool orchestration through the Composio framework, governed by configurations fetched from an untrusted external URL.
Recommendations
- AI detected serious security threats
Audit Metadata