ynab-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill requires adding an unverified external MCP server endpoint at https://rube.app/mcp which manages all tool definitions and the execution environment.
- REMOTE_CODE_EXECUTION (HIGH): The skill utilizes RUBE_REMOTE_WORKBENCH which allows for the execution of arbitrary tools and scripts in a remote environment via Composio's infrastructure.
- PROMPT_INJECTION (HIGH): Significant risk of Indirect Prompt Injection (Category 8). The agent is instructed to dynamically fetch and follow execution plans and tool schemas from an external server (RUBE_SEARCH_TOOLS). Malicious tool definitions or financial data from YNAB could override agent behavior without sanitization or boundary markers.
- COMMAND_EXECUTION (MEDIUM): The skill uses RUBE_MULTI_EXECUTE_TOOL to run tools discovered at runtime, which could result in unauthorized operations if the tool search results are manipulated by the external endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata