short-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exhibits a significant vulnerability surface by instructing the agent to dynamically fetch and follow 'recommended execution plans' and 'known pitfalls' from an external MCP server (
rube.app). - Ingestion Points: Data enters the agent context through the
RUBE_SEARCH_TOOLSresponse. - Boundary Markers: None. There are no instructions to the agent to treat the remote data as untrusted or to ignore embedded natural language instructions within the schema or plans.
- Capability Inventory: The agent is granted the capability to execute arbitrary tools via
RUBE_MULTI_EXECUTE_TOOLand manage credentials viaRUBE_MANAGE_CONNECTIONS. - Sanitization: None. The skill explicitly tells the agent to use the 'exact field names and types' and 'discovered tool slugs' without validation.
- Command Execution (MEDIUM): The 'Core Workflow Pattern' encourages the agent to execute tool slugs and arguments provided by the remote discovery service. If the remote service is compromised or malicious, it can direct the agent to perform unauthorized operations or data exfiltration via the Short IO toolkit.
- Unverifiable Source (MEDIUM): The skill mandates the use of an external MCP server (
https://rube.app/mcp) which is not on the list of trusted providers. This endpoint acts as a control plane for the agent's logic.
Recommendations
- AI detected serious security threats
Audit Metadata