remote-retrieval-automation

The skill instructs the LLM to interact with Rube MCP tools, specifically `RUBE_SEARCH_TOOLS` and `RUBE_MULTI_EXECUTE_TOOL`. The `queries` field for `RUBE_SEARCH_TOOLS` and the `arguments` field for `RUBE_MULTI_EXECUTE_TOOL` are designed to be populated based on user input. If the LLM directly passes untrusted user input into these fields without robust sanitization or validation, an attacker could inject malicious instructions or data. This creates several credible exploit paths: 1. **Prompt Injection**: Malicious input in `queries` or `arguments` could manipulate the Rube MCP's interpretation of the request, leading to unintended tool selection or behavior. 2. **Data Exfiltration**: If the underlying 'Remote Retrieval' tools accept arguments such as URLs, file paths, or database queries, an attacker could craft inputs to retrieve sensitive data from internal networks or local files (if accessible by the tool) and have the agent return it. 3. **Command Injection**: If any specific 'Remote Retrieval' tool is vulnerable to command injection through its arguments (e.g., executing shell commands based on input), an attacker could execute arbitrary commands on the system hosting that tool. The skill's 'Known Pitfalls' advise 'Schema compliance' and 'Always search first', which are good practices for the LLM, but do not inherently prevent a compromised LLM from constructing malicious, yet schema-compliant, arguments based on an injected prompt.