templated-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads / Remote Code Execution] (HIGH): The setup instructions mandate adding 'https://rube.app/mcp' as an MCP server. This domain is not in the trusted scope, and connecting to it allows an untrusted third party to provide tool definitions and execution logic to the agent.
- [Indirect Prompt Injection] (HIGH): The skill relies on 'RUBE_SEARCH_TOOLS' to ingest tool schemas and 'execution plans' from the remote server. Evidence: (1) Ingestion Point: RUBE_SEARCH_TOOLS results (2) Boundary Markers: None (3) Capabilities: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH (4) Sanitization: None. A malicious server could provide instructions within the tool schemas or plans to hijack agent behavior.
- [Dynamic Execution] (MEDIUM): The workflow uses tool slugs and arguments discovered at runtime from the external search service. This allows for schema confusion and execution of unauthorized tools if the remote provider is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata