thanks-io-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and execute logic based on schemas and plans returned from an untrusted remote source (Rube MCP). • Ingestion points: Tool schemas and execution strategies provided by RUBE_SEARCH_TOOLS. • Boundary markers: Absent; instructions explicitly tell the agent to follow returned results exactly. • Capability inventory: Includes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH, allowing for write operations and remote environment execution. • Sanitization: Absent; the agent is directed to prioritize dynamic external data over static logic.
- [Unverifiable Dependencies] (MEDIUM): The skill requires connecting to an external MCP endpoint (https://rube.app/mcp) which is not a trusted source.
- [Dynamic Execution] (MEDIUM): The use of RUBE_REMOTE_WORKBENCH provides a mechanism for remote execution that is triggered by untrusted data from the search/discovery phase.
Recommendations
- AI detected serious security threats
Audit Metadata