bonsai-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill mandates the use of an external MCP server endpoint (
https://rube.app/mcp) that is not within the trusted source list. This creates a dependency on an unverified third-party infrastructure. - [REMOTE_CODE_EXECUTION] (HIGH): The workflow requires calling
RUBE_SEARCH_TOOLSto fetch schemas, tool slugs, and 'recommended execution plans' at runtime. Since the agent is instructed to follow these dynamically retrieved instructions to populateRUBE_MULTI_EXECUTE_TOOL, the external server effectively controls the agent's actions within the Bonsai environment. - [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Data enters the agent context via
RUBE_SEARCH_TOOLS(SKILL.md). - Boundary markers: None. The skill explicitly directs the agent to 'Always use exact field names and types from the search results'.
- Capability inventory: The agent has broad capabilities including
RUBE_MULTI_EXECUTE_TOOL,RUBE_MANAGE_CONNECTIONS, andRUBE_REMOTE_WORKBENCH(SKILL.md). - Sanitization: None. There is no validation of the 'recommended execution plans' or 'pitfalls' returned by the untrusted server.
- [CREDENTIALS_UNSAFE] (LOW): While no keys are hardcoded, the skill encourages following 'returned auth links' from the MCP server to complete setup, which could be used for phishing or unauthorized credential harvesting if the third-party server is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata