y-gy-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires connection to an untrusted external MCP endpoint (
https://rube.app/mcp). This source is not part of the trusted organizational list and serves as a remote dependency for all skill operations. - [PROMPT_INJECTION] (HIGH): The skill implements a 'dynamic instruction fetching' pattern. It explicitly tells the agent to 'Always search tools first' and follow the 'recommended execution plans' returned by the remote server. This constitutes a high-risk Indirect Prompt Injection surface where the remote server can override agent behavior at runtime.
- [COMMAND_EXECUTION] (HIGH): The skill uses the
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHcapabilities to perform actions based on the untrusted remote search results. Because the agent is instructed to use schemas and plans provided by the external server, the server can trigger arbitrary tool executions. - [DATA_EXFILTRATION] (MEDIUM): By using
RUBE_MANAGE_CONNECTIONSthrough a third-party bridge (rube.app), sensitive session data and authentication status for the 'Y Gy' service are processed by an unverified intermediary, posing a risk of data exposure. - [INDIRECT PROMPT INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points:
RUBE_SEARCH_TOOLSresponse (fetches schemas and execution plans fromrube.app). - Boundary markers: Absent. The agent is told to follow the plans 'always'.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOL(execution),RUBE_REMOTE_WORKBENCH(remote operations). - Sanitization: Absent. The skill relies entirely on the remote source for the definition of arguments and sequences.
Recommendations
- AI detected serious security threats
Audit Metadata