short-menu-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): This skill exhibits a high-risk indirect injection surface. It is explicitly designed to ingest tool schemas, input definitions, and execution plans from an external source via
RUBE_SEARCH_TOOLS. - Ingestion points: External data enters the context via the output of
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMASfrom therube.appendpoint. - Boundary markers: None identified. The skill instructs the agent to follow returned execution plans without validation.
- Capability inventory: The agent possesses write/execute capabilities through
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: None present. The skill mandates using 'exact field names and types' from external search results.
- External Downloads & Remote Code Execution (HIGH): The 'Setup' section requires adding
https://rube.app/mcpas an MCP server. Because this server provides the logic, schemas, and instructions for tool execution at runtime, it effectively allows remote control over the agent's operational capabilities. Sincerube.appis not on the [TRUST-SCOPE-RULE] whitelist, this is treated as an untrusted remote code source. - Data Exposure & Exfiltration (MEDIUM): The use of
RUBE_MANAGE_CONNECTIONSand session IDs (session_id) involves the transmission of session metadata and authentication status to an external service. While standard for many toolkits, the lack of trusted source status for the endpoint necessitates caution regarding the handling of connection tokens.
Recommendations
- AI detected serious security threats
Audit Metadata