Security Audit
appcircle-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
appcircle-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Broad tool execution via RUBE_MULTI_EXECUTE_TOOL, Unspecified powerful tool RUBE_REMOTE_WORKBENCH, Unversioned dependency on Rube MCP.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unspecified powerful tool RUBE_REMOTE_WORKBENCH The skill mentions `RUBE_REMOTE_WORKBENCH` for 'Bulk ops' with `run_composio_tool()`. The term 'workbench' often implies an environment for executing arbitrary code or complex operations. Without clear documentation or examples of its usage and security boundaries, this tool represents a significant risk. If it allows arbitrary code execution (e.g., shell commands, Python `eval`/`exec`) or execution of any Composio tool based on untrusted input, it could lead to critical command injection or excessive permissions. Provide detailed documentation for `RUBE_REMOTE_WORKBENCH`, including its capabilities, security implications, and how to safely use it. If it allows arbitrary code execution, it should be removed or heavily restricted. If it only allows specific tool executions, this should be clearly stated and controlled. | LLM | SKILL.md:80 | |
| HIGH | Broad tool execution via RUBE_MULTI_EXECUTE_TOOL The skill instructs the LLM to use `RUBE_MULTI_EXECUTE_TOOL` to execute any tool discovered via `RUBE_SEARCH_TOOLS`. This grants the LLM broad permissions to perform any operation available through the Appcircle toolkit, including potentially destructive or sensitive actions, if the underlying tools allow them. An LLM compromised by prompt injection could leverage this to perform unauthorized actions. Implement fine-grained access control for tools, allowing the skill to only access a predefined, minimal set of necessary Appcircle operations. Avoid granting blanket execution rights to all discovered tools. | LLM | SKILL.md:49 | |
| MEDIUM | Unversioned dependency on Rube MCP The skill declares a dependency on the `rube` MCP (`"mcp": ["rube"]`) and instructs to connect to `https://rube.app/mcp`. However, no specific version of the `rube` MCP is specified or pinned. This means that updates to the `rube.app` endpoint could introduce breaking changes, vulnerabilities, or malicious behavior without the skill author's explicit review or approval, posing a supply chain risk. Implement version pinning for the `rube` MCP dependency to ensure consistent and reviewed behavior. For example, if Rube MCP supports versioning, specify a minimum or exact version. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/ba5dee2f5682e77e)
Powered by SkillShield