screenshot-fyi-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads] (MEDIUM): The skill instructions require the user to add an external MCP server endpoint
https://rube.app/mcp. Because this domain is not included in the predefined trusted scope, it is treated as an unverifiable remote dependency. - [Indirect Prompt Injection] (HIGH): This skill presents a significant vulnerability surface for indirect prompt injection due to its operational model.
- Ingestion points: The skill processes external, untrusted content from the web via the
screenshot_fyitoolkit. - Boundary markers: There are no boundary markers or 'ignore embedded instructions' delimiters specified for the data ingested from external URLs.
- Capability inventory: The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, providing the agent with the ability to execute arbitrary commands and tools based on its reasoning. - Sanitization: No sanitization or validation of the content captured from external websites is performed before the agent processes it.
- [Command Execution] (HIGH): The skill pattern relies on
RUBE_MULTI_EXECUTE_TOOLto perform actions based on tool schemas discovered at runtime viaRUBE_SEARCH_TOOLS. This allows for the dynamic execution of tools with potentially high privileges or side effects on the local or remote system. - [Remote Code Execution] (HIGH): The
RUBE_REMOTE_WORKBENCHoperation withrun_composio_tool()enables remote execution patterns that bypass local environment restrictions, increasing the risk if the tool choice is influenced by malicious external data.
Recommendations
- AI detected serious security threats
Audit Metadata