datadog-automation
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the user to add an external MCP server endpoint (
https://rube.app/mcp) to their client configuration. This endpoint provides the logic and schemas for the Datadog tools, making the skill dependent on the availability and integrity of the third-partyrube.appservice. - [COMMAND_EXECUTION]: The skill exposes several high-impact administrative tools that allow the agent to modify the Datadog environment. Notably,
DATADOG_DELETE_DASHBOARDallows for irreversible deletion of dashboards, while tools likeDATADOG_MUTE_MONITORandDATADOG_CREATE_DOWNTIMEcan be used to suppress active alerts and monitoring visibility. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of reading and acting upon external data.
- Ingestion points: Untrusted data enters the agent context via
DATADOG_SEARCH_LOGS(log body),DATADOG_LIST_EVENTS(event text), andDATADOG_QUERY_METRICS(metric tags and names). - Boundary markers: The instructions do not specify any delimiters or safety warnings (e.g., "ignore embedded instructions") when the agent processes the output from these ingestion tools.
- Capability inventory: The skill provides significant capabilities that an attacker could target through injected instructions, including deleting resources (
DATADOG_DELETE_DASHBOARD), modifying alert configurations (DATADOG_UPDATE_MONITOR), and creating alerts or events. - Sanitization: There are no instructions or mechanisms provided to sanitize, escape, or validate the content of the logs or events before the agent evaluates them.
Audit Metadata