signaturely-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): Dependency on an external MCP server endpoint at https://rube.app/mcp.\n
- Evidence: The Setup section instructs users to add this third-party URL as an MCP server. This source is not included in the Trusted External Sources list (e.g., Anthropic, Google, Microsoft), requiring users to trust the rube.app domain with session data and tool execution.\n- Dynamic Execution (MEDIUM): Implementation of runtime tool discovery and subsequent execution.\n
- Evidence: The workflow relies on calling RUBE_SEARCH_TOOLS to fetch schemas which are then passed directly to RUBE_MULTI_EXECUTE_TOOL. This allows the remote server to dictate the slugs and arguments of tools the agent executes at runtime.\n- Indirect Prompt Injection (LOW): Vulnerability surface for indirect instructions embedded in retrieved data.\n
- Ingestion points: Data retrieved from Signaturely operations and the tool schemas returned by the MCP server.\n
- Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to ignore instructions embedded in the document data.\n
- Capability inventory: Extensive execution capabilities via RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH.\n
- Sanitization: Absent. No validation or escaping of external content is specified before processing.
Audit Metadata