tpscheck-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it relies on instructions and schemas fetched from an external source at runtime.
- Ingestion points: The
RUBE_SEARCH_TOOLStool fetches tool schemas, recommended execution plans, and "known pitfalls" fromhttps://rube.app/mcp(SKILL.md, Core Workflow Pattern). - Boundary markers: Absent. There are no instructions for the agent to ignore malicious commands embedded in the search results.
- Capability inventory: The agent can execute arbitrary tools via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH(SKILL.md, Core Workflow Pattern). - Sanitization: No sanitization is mentioned; the agent is explicitly told to use exact field names and recommended plans from the search results.
- Remote Code Execution (HIGH): The skill facilitates the execution of remote logic defined by a third-party server.
- Evidence: The
RUBE_REMOTE_WORKBENCHtool withrun_composio_tool()allows the agent to execute tools whose logic is hosted and managed on the Rube/Composio platform (SKILL.md, Quick Reference). - External Downloads (MEDIUM): The skill requires the user to add an untrusted MCP endpoint (
https://rube.app/mcp) to their configuration. - Risk: This endpoint is not on the trusted sources list and serves as the primary authority for the agent's automation logic, creating a dependency on an unverified third party.
Recommendations
- AI detected serious security threats
Audit Metadata