vero-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a workflow that fetches instructions and tool schemas from an external source (
RUBE_SEARCH_TOOLS) and treats them as authoritative. - Ingestion points: Data returned by
RUBE_SEARCH_TOOLSinSKILL.md, specifically mentioned as providing "recommended execution plans" and input schemas. - Boundary markers: Absent. The instructions explicitly mandate the agent to "Always search tools first" and follow the returned results to avoid "pitfalls."
- Capability inventory: The skill utilizes
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCH, which allow the agent to perform complex operations or execute code based on the untrusted remote data. - Sanitization: None. There is no mechanism to validate or sanitize the remote execution plans before the agent acts on them.
- External Downloads (MEDIUM): The skill requires the configuration of an external, unverified MCP server (
https://rube.app/mcp). Under the [TRUST-SCOPE-RULE], this source is not on the trusted list, meaning the agent's reliance on this endpoint for tool logic is a security concern. - Metadata Poisoning (LOW): The description encourages the agent to "Always search tools first," which prioritizes external, potentially adversarial data over the static skill instructions.
Recommendations
- AI detected serious security threats
Audit Metadata