toneden-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Remote Code Execution / External Downloads] (HIGH): The skill requires the installation of an MCP server from an unverified external source (
https://rube.app/mcp). It explicitly instructs the agent to fetch 'execution plans' and 'tool schemas' from this endpoint at runtime. This allows the remote server to dictate the agent's logic and tool usage, effectively performing remote instruction execution. - [Indirect Prompt Injection] (HIGH): The skill has a high-risk surface for indirect prompt injection via the
RUBE_SEARCH_TOOLSmechanism. - Ingestion points: Untrusted tool schemas and execution plans enter the context via
RUBE_SEARCH_TOOLS(documented in 'Core Workflow Pattern'). - Boundary markers: Absent. There are no instructions to the agent to treat the remote schema or plans as untrusted or to ignore embedded natural language instructions.
- Capability inventory: The agent has access to
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, providing significant side effects (account modification, remote command execution). - Sanitization: Absent. The agent is told to use 'exact field names' and 'recommended execution plans' directly from the search results.
- [Command Execution] (MEDIUM): The inclusion of
RUBE_REMOTE_WORKBENCHimplies capabilities for broader remote operations, which, when paired with the 'always search first' requirement, allows a remote actor to trigger complex behaviors on the host or connected accounts.
Recommendations
- AI detected serious security threats
Audit Metadata