box-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Search and Browse Content" workflow requires BOX_SEARCH_FOR_CONTENT (full-text search across files, folders, and web links) and includes steps to read/get/download file contents (BOX_GET_FILE_INFORMATION, BOX_DOWNLOAD_FILE), so the agent will ingest user-generated Box files and external web links—untrusted third-party content that could contain instructions influencing subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires adding and using the MCP endpoint https://rube.app/mcp at runtime and instructs calling RUBE_SEARCH_TOOLS to fetch current tool schemas (which directly control the agent's tools/prompts), making this a required external runtime dependency that can alter agent behavior.