Rube

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Rube automation connector, but it ships with an embedded bearer token and exposes broad remote automation, shell, workbench, API, scheduling, and memory capabilities that need careful review.

Review before installing. Use only a version that removes and rotates the embedded bearer token, requires your own scoped credential, clearly documents what data is sent to Rube and connected apps, and requires explicit approval for remote bash, direct API calls, bulk execution, recipe execution, and recurring schedules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest description is overly generic compared with the actual documented capabilities, which include remote code execution, shell execution, and direct API access. This security disclosure gap makes the skill more dangerous because operators may authorize or invoke it without understanding that it can execute arbitrary commands and interact broadly with external systems.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The remote workbench helper set includes broad web search and direct API proxying, which significantly expands the skill beyond simple recipe execution or file processing. That enlarged surface enables network egress and arbitrary external interaction from a persistent remote execution environment, increasing the risk of data exfiltration or unauthorized actions.

Scope Creep

High

Confidence: 96% confidence
Finding: The documented capabilities exceed the declared `allowed-tools` scope by exposing helper-mediated web/API access that is not transparently covered by the manifest. This kind of mismatch undermines permission boundaries and can let the skill reach external services through indirect channels that users and reviewers did not authorize.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The documentation says the remote workbench is only for remote-file processing or bulk scripting, but the helper set enables broader activities like web search and direct API proxying. While primarily a documentation and scope-control issue, it still weakens operator understanding and can normalize unsafe use of a high-privilege environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The schedule-management flow allows destructive deletion of recurring recipe schedules without documenting any confirmation or user-warning step. This creates a meaningful integrity risk because an agent could delete or overwrite automation unexpectedly, disrupting business processes or causing loss of scheduled operations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill exposes remote bash execution but does not require a user warning or confirmation before running arbitrary commands in a sandbox. Even in a sandbox, shell access can be used for destructive file operations, network access, credential misuse, or staging follow-on actions, so the absence of friction or warning is dangerous.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The proxy API helper permits direct transmission of data to external services without any documented warning about egress, third-party processing, or credential-scoped side effects. This is dangerous because users may unknowingly authorize data export or state-changing API calls outside the normal tool-specific safety model.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script silently makes authenticated outbound requests to a third-party service and exposes no user-facing disclosure, consent, or visibility into what data is sent. In a skill context, this is more dangerous because invoking the wrapper automatically transmits tool names and JSON arguments to a remote service, potentially including sensitive user data or actions affecting remote systems.

Missing User Warnings

High

Confidence: 100% confidence
Finding: A hardcoded Bearer token is embedded directly in the script, allowing anyone with access to the file to reuse the credential against the remote MCP service. This can enable unauthorized API access, impersonation of the associated user or organization, and abuse of powerful remote capabilities such as remote bash or workbench operations exposed by this skill.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The memory guidance explicitly encourages retention of durable identifiers, relationships, and user preferences across executions. Without strict minimization, expiry, and access controls, this can lead to unintended persistence and later disclosure of sensitive user or organizational data in unrelated contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal