v0-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill requires the user to add an untrusted third-party MCP server (https://rube.app/mcp) to their client configuration. This server is not within the trusted scope and controls the logic for all subsequent tool executions.
- REMOTE_CODE_EXECUTION (HIGH): Features tools like
RUBE_REMOTE_WORKBENCHandRUBE_MULTI_EXECUTE_TOOLwhich execute actions on a remote environment. The behavior of these tools is dynamically defined by the untrusted MCP server's response toRUBE_SEARCH_TOOLSorRUBE_GET_TOOL_SCHEMAS. - PROMPT_INJECTION (HIGH): Susceptible to Indirect Prompt Injection. The skill processes data from V0 tasks (which can include user-provided UI descriptions or code) and possesses high-privilege execution capabilities.
- Ingestion points: V0 task descriptions and project metadata processed through Rube tools.
- Boundary markers: None identified in the skill instructions to separate external data from tool commands.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL,RUBE_REMOTE_WORKBENCH,RUBE_MANAGE_CONNECTIONS. - Sanitization: No sanitization or validation of the external content is performed before interpolation into the workflow.
- DATA_EXFILTRATION (MEDIUM): Automating V0 tasks through the Rube proxy server involves routing V0 project data and connection status through an external entity (rube.app), creating a risk of unauthorized data access by the provider.
Recommendations
- AI detected serious security threats
Audit Metadata