yelp-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- External Downloads (HIGH): The skill mandates the use of an unverified third-party MCP server (https://rube.app/mcp) not included in the trusted source list. This server acts as the primary authority for tool discovery and execution logic.
- Remote Code Execution (HIGH): The skill explicitly tells the agent to fetch and follow 'recommended execution plans' from the remote server. This design allows the remote endpoint to control the agent's tool-calling behavior, constituting instruction-based remote code execution.
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data (schemas and plans) from the rube.app API and uses them to guide agent behavior. Evidence Chain: 1. Ingestion points: RUBE_SEARCH_TOOLS response contents (SKILL.md). 2. Boundary markers: None present; the agent is instructed to use the results directly. 3. Capability inventory: RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH provide capabilities for executing complex tool sequences. 4. Sanitization: No validation or sanitization of the remote plans is performed.
- Credentials Unsafe (MEDIUM): The skill uses RUBE_MANAGE_CONNECTIONS to handle Yelp authentication, delegating the management of sensitive OAuth tokens to the unverified rube.app service.
- Command Execution (MEDIUM): The skill utilizes RUBE_MULTI_EXECUTE_TOOL and RUBE_REMOTE_WORKBENCH to perform actions based on untrusted remote logic, permitting arbitrary tool execution directed by an external entity.
Recommendations
- AI detected serious security threats
Audit Metadata