Security Audit

accelo-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

accelo-automation received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned dependencies on Rube MCP and Accelo toolkit, Broad access to Accelo operations.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

78%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned dependencies on Rube MCP and Accelo toolkit The skill explicitly declares a dependency on the 'rube' MCP in its manifest (`"requires": {"mcp": ["rube"]}`) and mentions 'Composio's Accelo toolkit' in its description. Neither dependency specifies a version, making them unpinned. This introduces a supply chain risk, as updates to these external components could introduce vulnerabilities, breaking changes, or malicious code without explicit review or control by the skill maintainer. Pin specific versions for all external dependencies (e.g., `{"mcp": ["rube@1.2.3"]}`) to ensure stability and security. Regularly review and update pinned versions.	Static	SKILL.md:1
MEDIUM	Broad access to Accelo operations The skill provides the LLM with the ability to perform 'Accelo operations' without specifying or limiting the scope of these actions. Accelo is a comprehensive business management platform, and broad access could allow an LLM, if maliciously prompted, to interact with sensitive client data, financial records, project details, or perform destructive actions (e.g., deleting projects, modifying invoices). The skill's description does not include mechanisms to constrain or audit the specific types of Accelo operations the LLM is permitted to execute. Refine the skill's description and/or underlying toolkit configuration to specify and limit the exact Accelo operations the LLM is authorized to perform. Implement granular access controls and logging for all tool calls to Accelo.	Static	SKILL.md:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2c319c51581a4815.svg)](https://skillshield.io/report/2c319c51581a4815)