bitwarden-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill is explicitly designed to access and manage Bitwarden, a password manager containing the user's most sensitive credentials. Accessing this data through a chain of third-party tools (Rube and Composio) significantly increases the risk of credential exposure.
- EXTERNAL_DOWNLOADS (MEDIUM): The instructions require adding an external MCP server endpoint (
https://rube.app/mcp). This is an unverifiable remote dependency that dictates the agent's available tools and behaviors at runtime. - DATA_EXFILTRATION (HIGH): The skill combines access to sensitive vault data with network-enabled tool execution (
RUBE_MULTI_EXECUTE_TOOL,RUBE_REMOTE_WORKBENCH). This pattern allows for the possibility of vault contents being transmitted to external endpoints managed by the toolkit provider or the MCP host. - COMMAND_EXECUTION (MEDIUM): The
RUBE_REMOTE_WORKBENCHandrun_composio_tool()patterns indicate the ability to execute remote operations and potentially arbitrary code within the workbench environment. - INDIRECT PROMPT INJECTION (HIGH): Mandatory evidence chain:
- Ingestion points: Tool schemas and execution plans are ingested dynamically via
RUBE_SEARCH_TOOLSfromrube.app. - Boundary markers: Absent. The agent is told to "Always search first" and follow the returned schemas implicitly.
- Capability inventory: Full access to Bitwarden toolkit (read/write credentials) and remote execution via
RUBE_MULTI_EXECUTE_TOOL. - Sanitization: None. The skill relies entirely on the output of the remote search tool to define its logic.
Recommendations
- AI detected serious security threats
Audit Metadata