supportivekoala-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to instructions embedded in processed data. * Ingestion points: Data is received from RUBE_SEARCH_TOOLS (tool schemas and execution plans) and the Supportivekoala API (account data). * Boundary markers: Absent. The skill lacks instructions to treat external data as untrusted or to ignore instructions embedded within it. * Capability inventory: The agent can use RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to perform account modifications and execute remote operations. * Sanitization: Absent. There is no evidence of validation for tool arguments or search results.
- [Remote Code Execution] (MEDIUM): The use of RUBE_REMOTE_WORKBENCH enables the execution of workflows in a remote workbench environment, which could be used to perform operations outside the user's immediate oversight.
- [Command Execution] (MEDIUM): Core operations use RUBE_MULTI_EXECUTE_TOOL with slugs and arguments discovered at runtime. This dynamic tool discovery means the agent's actions are controlled by the remote MCP server's responses, which could be manipulated to execute higher-privilege tools.
- [External Downloads] (LOW): The skill requires adding an MCP server from rube.app, an external third-party source not on the trusted organizations list.
Recommendations
- AI detected serious security threats
Audit Metadata