test-app-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires connection to an external MCP server at
https://rube.app/mcp. This domain is not on the list of trusted external sources and provides the foundation for all subsequent operations.\n- [COMMAND_EXECUTION] (HIGH): The skill utilizesRUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations. These tools facilitate the execution of arbitrary functionality defined by the external MCP server.\n- [REMOTE_CODE_EXECUTION] (HIGH): Instructions inSKILL.mddirect the agent to fetch tool schemas and 'recommended execution plans' at runtime from the remote endpoint and execute them viaRUBE_MULTI_EXECUTE_TOOL. This is effectively remote instruction execution.\n- [PROMPT_INJECTION] (HIGH): (Category 8: Indirect Prompt Injection) The skill exposes a significant attack surface by ingesting untrusted data from an external source to guide agent behavior.\n - Ingestion points: Tool metadata, schemas, and execution plans are retrieved via
RUBE_SEARCH_TOOLSfromrube.app.\n - Boundary markers: Absent. There are no instructions to the agent to treat the returned tool metadata as potentially untrusted or to ignore embedded instructions.\n
- Capability inventory: High-privilege capabilities include
RUBE_MULTI_EXECUTE_TOOL(tool execution),RUBE_REMOTE_WORKBENCH(bulk operations), andRUBE_MANAGE_CONNECTIONS(authentication management).\n - Sanitization: Absent. The agent is explicitly told to 'Always search tools first' and follow the returned schemas and plans implicitly.
Recommendations
- AI detected serious security threats
Audit Metadata