sc-mcp
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill integrates the
mcp__rube__RUBE_REMOTE_BASH_TOOL, which allows the agent to execute arbitrary shell commands on a remote system as part of automated workflows. - [REMOTE_CODE_EXECUTION]: The
mcp__rube__RUBE_REMOTE_WORKBENCHtool provides a Python sandbox environment, enabling the execution of dynamic Python scripts at runtime to process data. - [COMMAND_EXECUTION]: The
mcp__pal__clinktool facilitates external CLI integration, extending the agent's ability to run system-level commands through its reasoning component. - [REMOTE_CODE_EXECUTION]: The skill includes persistence mechanisms via
mcp__rube__RUBE_MANAGE_RECIPE_SCHEDULE, allowing the creation and scheduling of automated workflows using cron expressions that can execute arbitrary code over time. - [PROMPT_INJECTION]: The skill presents a high risk for indirect prompt injection due to its complex integration surface:
- Ingestion points: Data enters the agent context from over 500 integrated applications (e.g., Slack messages, GitHub PR bodies, Jira tickets) as described in
SKILL.md. - Boundary markers: The skill definition lacks explicit delimiters or instructions to ignore embedded commands within external data payloads.
- Capability inventory: The agent has access to highly privileged tools including
REMOTE_BASH_TOOLandREMOTE_WORKBENCHwhich can be triggered by these workflows. - Sanitization: There is no evidence of sanitization or validation of the content retrieved from third-party services before it is used to influence tool parameters or execution logic.
Audit Metadata