zeplin-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill mandates connecting to an untrusted remote MCP server endpoint (https://rube.app/mcp). This server serves as the source for all tool definitions and execution logic used by the agent.
- [COMMAND_EXECUTION] (HIGH): The skill relies on 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH' to perform actions. Since these tools are fetched dynamically from an external source at runtime, it enables the execution of arbitrary remote commands if the endpoint is compromised.
- [PROMPT_INJECTION] (HIGH): The skill exposes a significant indirect prompt injection surface (Category 8). 1. Ingestion points: Remote tool schemas and 'recommended execution plans' from RUBE_SEARCH_TOOLS. 2. Boundary markers: None (the agent is instructed to 'always search tools first' and use the results directly). 3. Capability inventory: High-privilege capabilities including multi-tool execution and remote workbench access. 4. Sanitization: None; the skill assumes the remote server's output is safe and authoritative.
Recommendations
- AI detected serious security threats
Audit Metadata