basecamp-automation
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the configuration of an external MCP server at
https://rube.app/mcp. This domain is not associated with a recognized trusted organization or well-known service, posing a risk when delegating task execution to an unverified remote endpoint. - [DATA_EXFILTRATION]: Because the skill utilizes a remote MCP server, sensitive data retrieved from Basecamp (including project details, message boards, and personnel lists) is processed through the
rube.appinfrastructure. This creates a potential exposure vector for private organizational data. - [COMMAND_EXECUTION]: The skill exposes high-privilege tools such as
BASECAMP_PUT_PROJECTS_PEOPLE_USERS, which enables the agent to grant or revoke project access and create new user accounts. Malicious instructions could potentially abuse these administrative capabilities. - [PROMPT_INJECTION]:
- Indirect Prompt Injection: The skill is designed to read and process content from Basecamp messages and to-do lists, which are sources of untrusted data.
- Ingestion points: Data is ingested via
BASECAMP_GET_MESSAGEandBASECAMP_GET_BUCKETS_TODOLISTS_TODOS(SKILL.md). - Boundary markers: No delimiters or instructions are provided to the agent to ignore potentially malicious commands embedded within the Basecamp messages it reads.
- Capability inventory: The agent has the ability to modify project permissions and send messages, which could be exploited through a data-driven attack.
- Sanitization: There is no evidence of content validation or sanitization before processing Basecamp data.
Audit Metadata