updown-io-automation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill instructions require the user to connect to an external MCP server at
https://rube.app/mcp. This domain is not part of the predefined trusted source list. While it is a known integration platform (Composio), the reliance on an external endpoint for core functionality is noted. - PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8c). It explicitly instructs the agent to 'Always search tools first' using
RUBE_SEARCH_TOOLSand to follow the 'recommended execution plans' and 'input schemas' returned by the external server. - Ingestion points: Dynamic tool schemas and execution strategies fetched from
https://rube.app/mcpvia theRUBE_SEARCH_TOOLStool. - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore malicious content within the fetched schemas.
- Capability inventory: The agent has the capability to execute complex workflows and multi-step tool calls via
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH. - Sanitization: None. The instructions mandate strict compliance with the external search results ('Use exact field names and types from the search results').
- COMMAND_EXECUTION (LOW): The skill uses
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHto perform operations on the Updown IO platform. While these are managed tool calls, they represent the execution of remote capabilities controlled by the MCP server's logic.
Audit Metadata