screenshotone-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is architected to ingest and obey instructions (schemas, execution plans) from an external service. 1. Ingestion points: The RUBE_SEARCH_TOOLS function in SKILL.md retrieves data from rube.app. 2. Boundary markers: None present; the agent is instructed to follow the 'recommended execution plans' from the search results. 3. Capability inventory: The skill has access to RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH which can execute complex tool chains and remote commands. 4. Sanitization: None. The skill explicitly directs the agent to use 'exact field names' from the remote response.
- Dynamic Execution (MEDIUM): The skill utilizes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to run tools discovered dynamically. It forbids hardcoding tool slugs, meaning the agent's operational logic is entirely defined by the remote MCP server at runtime.
- External Downloads (LOW): The setup process requires connecting to https://rube.app/mcp as a server. While not a direct executable download, this remote dependency defines the skill's capabilities and is not on the trusted source list.
Recommendations
- AI detected serious security threats
Audit Metadata