The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's fundamental workflow creates a critical vulnerability surface by requiring the agent to ingest untrusted data from an external source and use it to drive execution logic.
Ingestion points: The response from RUBE_SEARCH_TOOLS (provided by https://rube.app/mcp).
Boundary markers: Absent. There are no instructions for the agent to validate or sanitize the schemas or plans returned by the external service.
Capability inventory: RUBE_MULTI_EXECUTE_TOOL (executes arbitrary discovered tools) and RUBE_REMOTE_WORKBENCH (executes tools in a remote environment).
Sanitization: Absent. The skill explicitly instructs the agent to use the "exact field names" and "recommended execution plans" provided by the remote discovery call.
Remote Code Execution (HIGH): The use of RUBE_REMOTE_WORKBENCH paired with run_composio_tool() implies a remote execution environment. Since the environment and the tools being run are defined by an untrusted external endpoint (rube.app), this facilitates unverified code or command execution.
Unverifiable Dependencies (MEDIUM): The skill requires connecting to https://rube.app/mcp. This domain is not within the defined [TRUST-SCOPE-RULE] for trusted organizations or repositories. The claim that "No API keys needed" suggests that authentication and authorization are handled entirely by the third-party endpoint, removing local control over the security of the connection.

sendspark-automation