Security Audit

active-campaign-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

active-campaign-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned dependency on 'rube' MCP, Broad access to ActiveCampaign operations.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Unpinned dependency on 'rube' MCP The skill's manifest specifies a dependency on 'rube' MCP without a version constraint. This could lead to unexpected behavior or security vulnerabilities if the 'rube' MCP changes in an incompatible or malicious way, as the skill would automatically use the latest version without explicit review. Pin the 'rube' MCP dependency to a specific version or version range in the manifest to ensure consistent and secure behavior. For example, `"mcp": ["rube@1.2.3"]` or `"mcp": ["rube@^1.0.0"]`.	Static	SKILL.md (manifest)
MEDIUM	Broad access to ActiveCampaign operations The skill enables an agent to perform a wide range of 'ActiveCampaign operations' via Rube MCP, using tools like `RUBE_MULTI_EXECUTE_TOOL`. The skill does not define or restrict the specific scope of these operations, meaning the agent could potentially access and manipulate sensitive customer data, marketing campaigns, and automations within the connected ActiveCampaign account. The actual permissions will be determined by the ActiveCampaign connection itself, but the skill provides the mechanism for broad access. Advise users to configure their ActiveCampaign API keys or OAuth connections with the principle of least privilege, granting only the minimum necessary permissions for the intended automation tasks. If possible, the skill itself could offer parameters or guidance to restrict the scope of operations it will attempt, or encourage the use of `RUBE_SEARCH_TOOLS` to understand and select specific, limited operations.	Static	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/937471838585c60e.svg)](https://skillshield.io/report/937471838585c60e)