tally-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8) because it fetches and follows tool schemas and 'recommended execution plans' from the external rube.app MCP server. Evidence: (1) Ingestion point: RUBE_SEARCH_TOOLS response. (2) Boundary markers: Absent. (3) Capability inventory: Full Tally automation including write operations via RUBE_MULTI_EXECUTE_TOOL. (4) Sanitization: None. This architecture allows the remote server to dictate the agent's actions on sensitive data.
- [External Logic Source] (MEDIUM): The skill requires adding 'https://rube.app/mcp' as an MCP server. This introduces a supply-chain risk as the core logic and tool definitions are hosted on a domain not explicitly listed as a trusted source.
Recommendations
- AI detected serious security threats
Audit Metadata