ynab-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill instructs the agent to query a public Rube MCP endpoint (https://rube.app/mcp) via RUBE_SEARCH_TOOLS and to read returned tool schemas, slugs, and execution plans as part of its workflow, which are untrusted third‑party inputs that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires connecting to the MCP server at https://rube.app/mcp at runtime (via RUBE_SEARCH_TOOLS, RUBE_MANAGE_CONNECTIONS, RUBE_MULTI_EXECUTE_TOOL) to retrieve tool schemas and execution plans and to invoke remote tools, so content from that URL directly determines agent prompts/execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly and narrowly designed to automate YNAB (You Need A Budget) operations via a dedicated Ynab toolkit (Composio/Rube MCP). It requires an active Ynab connection and instructs calling RUBE_MULTI_EXECUTE_TOOL / run_composio_tool with Ynab tool slugs and schema-compliant arguments — i.e., executing toolkit actions that create/modify YNAB transactions, budgets, and related financial records. Because it targets a specific financial platform and its APIs (not a generic browser or HTTP caller) and is intended to perform operational changes inside a budgeting/account system, it constitutes direct financial execution capability.