ticktick-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: External data from Ticktick tasks, descriptions, and notes enter the agent context when tools are used to fetch or search tasks.
- Boundary markers: Absent. The instructions do not define delimiters or provide system instructions to ignore embedded commands within the processed task data.
- Capability inventory: The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHwhich allow for significant side effects including creating, modifying, and deleting tasks. - Sanitization: Absent. There is no evidence of filtering or sanitizing Ticktick content before the agent processes it or uses it to decide on subsequent tool calls.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires users to add
https://rube.app/mcpas an MCP server. This is an external, unverified third-party endpoint not included in the Trusted External Sources list. This creates a dependency on an external service's availability and security posture. - [COMMAND_EXECUTION] (MEDIUM): The workflow relies on
RUBE_SEARCH_TOOLSto dynamically retrieve tool schemas andRUBE_MULTI_EXECUTE_TOOLto run them. This pattern of dynamic tool discovery and execution means the agent's behavior is dictated by remote responses at runtime, which could be manipulated by the service provider or an attacker influencing the data processed by those tools. - [NO_CODE] (LOW): The skill contains no local executable code (Python, Node.js, or Shell scripts), reducing the risk of local RCE, though its instructional nature directs the agent toward risky external interactions.
Recommendations
- AI detected serious security threats
Audit Metadata