Security Audit

ambient-weather-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ambient-weather-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Reliance on external MCP introduces supply chain risk.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Reliance on external MCP introduces supply chain risk The skill explicitly instructs the user to configure their client to use `https://rube.app/mcp` as an MCP server. This introduces a direct and critical dependency on an external, third-party service (`rube.app`). The security and integrity of the entire Ambient Weather automation workflow, including credential management and data handling, become reliant on the trustworthiness and security posture of `rube.app`. A compromise of `rube.app` or its underlying infrastructure could lead to unauthorized access to Ambient Weather accounts, data exfiltration, or malicious actions. While this is a common integration pattern for external services, it represents a significant supply chain risk as the skill itself cannot guarantee the security of this external component. Users should be made aware of the security implications of relying on third-party services. Skill developers should provide documentation on the security practices of `rube.app` or consider offering alternative, self-hosted options if applicable. For users, it is recommended to verify the reputation and security of `rube.app` before configuring their client to use it.	LLM	SKILL.md:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/af4c9cc190c13de2.svg)](https://skillshield.io/report/af4c9cc190c13de2)