Security Audit
bench-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
bench-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 1 medium, and 0 low severity. Key findings include Broad Tool Execution Capability via RUBE_MULTI_EXECUTE_TOOL, Arbitrary Composio Tool Execution via RUBE_REMOTE_WORKBENCH, Unversioned Rube MCP Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Broad Tool Execution Capability via RUBE_MULTI_EXECUTE_TOOL The skill instructs the LLM to use `RUBE_MULTI_EXECUTE_TOOL` to execute any tool slug discovered from `RUBE_SEARCH_TOOLS` with arbitrary, schema-compliant arguments. This grants the LLM broad and unconstrained access to all operations exposed by the `bench` toolkit. If any underlying `bench` tool is vulnerable to command injection or other forms of arbitrary execution through its arguments, a malicious prompt could exploit this to execute arbitrary commands on the host system or within the Composio environment. Implement fine-grained access control for `RUBE_MULTI_EXECUTE_TOOL` to restrict which tool slugs an LLM can execute. Ensure all arguments passed to underlying tools are rigorously sanitized and validated to prevent command injection. Consider a whitelist of allowed tool slugs for LLM interaction. | LLM | SKILL.md:49 | |
| CRITICAL | Arbitrary Composio Tool Execution via RUBE_REMOTE_WORKBENCH The skill's quick reference mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The naming suggests this tool can execute arbitrary Composio tools or potentially arbitrary code within the Composio platform. This represents a highly privileged operation. If an attacker can craft a prompt to control the arguments passed to `run_composio_tool()`, it could lead to arbitrary code execution or significant compromise of the Composio environment. Provide detailed documentation on the capabilities and security implications of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Implement strict input validation and sandboxing for `run_composio_tool()` to prevent arbitrary code execution. Restrict LLM access to this tool or require explicit human approval for its use. | LLM | SKILL.md:74 | |
| MEDIUM | Unversioned Rube MCP Dependency The skill relies on the `rube` MCP from `https://rube.app/mcp` without specifying a particular version. This means the skill will automatically use the latest version of the Rube MCP. If a future update to the Rube MCP introduces vulnerabilities, breaking changes, or malicious code, the skill would inherit these issues without explicit review or control, posing a supply chain risk. Implement version pinning for the `rube` MCP dependency. This could involve specifying a minimum or exact version in the manifest or client configuration, ensuring that updates are reviewed before deployment. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/10a60b2940ea3891)
Powered by SkillShield