Security Audit
bonsai-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
bonsai-automation received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via RUBE_REMOTE_WORKBENCH, Unpinned External Dependency and Implicit Trust in Rube MCP, Potential for Credential Harvesting/Data Exfiltration via Auth Links.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via RUBE_REMOTE_WORKBENCH The skill mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The term 'workbench' often implies an environment capable of executing arbitrary code or commands. If `run_composio_tool()` can be manipulated to execute arbitrary system commands or code, it poses a significant command injection risk. Even if its scope is limited to Composio tools, the underlying capabilities of those tools could be excessive, leading to unauthorized actions. Clarify and strictly define the execution capabilities and sandboxing of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Ensure it cannot execute arbitrary system commands, access unauthorized resources, or be used to bypass security controls. Provide explicit documentation on its security implications. | LLM | SKILL.md:67 | |
| MEDIUM | Unpinned External Dependency and Implicit Trust in Rube MCP The skill relies on `https://rube.app/mcp` without specifying a version or pinning. This introduces a supply chain risk, as updates to the Rube MCP could introduce vulnerabilities or malicious behavior without explicit consent. Furthermore, the statement 'No API keys needed — just add the endpoint and it works' implies implicit trust in the `rube.app` domain and its content, which could be exploited if the domain is compromised or spoofed, leading to the execution of untrusted code or data exfiltration. Implement version pinning or integrity checks for external MCPs or toolkits. Require explicit authentication or cryptographic verification for external services to ensure their authenticity and integrity. Provide guidance on how users can verify the authenticity and integrity of the Rube MCP. | LLM | SKILL.md:20 | |
| MEDIUM | Potential for Credential Harvesting/Data Exfiltration via Auth Links The `RUBE_MANAGE_CONNECTIONS` tool instructs users to 'follow the returned auth link to complete setup'. If a malicious actor could manipulate the `Rube` system to return a malicious auth link, or if the `Rube` system itself is compromised, it could lead to users providing sensitive credentials to an attacker-controlled site. This creates a direct path for credential harvesting or unauthorized data exfiltration during the connection setup process. Implement robust validation and sanitization of auth links returned by `Rube`. Educate users on how to verify the legitimacy and domain of auth links before proceeding. Ensure the `Rube` system has strong security measures to prevent link manipulation and protect the integrity of the authentication flow. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/9892da9ceb2f159f)
Powered by SkillShield