splitwise-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires the user to add an unverified external MCP server endpoint (https://rube.app/mcp). This source is not within the defined trusted organizations or repositories.
- [DATA_EXFILTRATION] (HIGH): Financial data and personally identifiable information (PII) from Splitwise are funneled through the rube.app infrastructure. This exposes sensitive transaction history and connection tokens to a third-party service provider.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill documentation references 'RUBE_REMOTE_WORKBENCH' for bulk operations. Remote workbenches typically allow for arbitrary code execution in a hosted environment, which presents a high risk when managed by an untrusted entity.
- [COMMAND_EXECUTION] (MEDIUM): The 'RUBE_MULTI_EXECUTE_TOOL' capability allows the agent to execute tools based on dynamic schemas fetched at runtime. This creates a control-flow hijacking risk where the external server can dictate the agent's actions.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill has a high attack surface for indirect injection as it ingests untrusted data from Splitwise (e.g., expense descriptions or group names) and possesses high-privilege capabilities like 'RUBE_MULTI_EXECUTE_TOOL' and connection management. There is no evidence of sanitization or boundary markers in the instructions.
Recommendations
- AI detected serious security threats
Audit Metadata