Security Audit
botstar-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
botstar-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Broad tool execution capability via RUBE_MULTI_EXECUTE_TOOL, Arbitrary Composio tool execution via RUBE_REMOTE_WORKBENCH.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Composio tool execution via RUBE_REMOTE_WORKBENCH The skill mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The name `run_composio_tool()` strongly suggests the ability to execute *any* tool available within the Composio ecosystem, not just Botstar-specific ones. If an LLM can be prompted to use `RUBE_REMOTE_WORKBENCH` to call `run_composio_tool()` with arbitrary tool names and arguments, this represents a critical security vulnerability. It could allow for arbitrary command execution, filesystem manipulation, network requests, or other highly privileged operations, depending on the scope of tools available in Composio. This bypasses any implicit or explicit restrictions to Botstar-specific operations. The `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()` functionality should be heavily restricted. If it's intended for specific bulk operations, it should only allow a predefined, allow-listed set of operations or tools. The environment where `run_composio_tool()` executes must be strictly sandboxed, and its access to system resources (filesystem, network, other tools) must be minimized to the absolute necessary. The LLM's internal logic must prevent arbitrary tool names or arguments from being passed to this function. | LLM | SKILL.md:76 | |
| HIGH | Broad tool execution capability via RUBE_MULTI_EXECUTE_TOOL The skill describes the use of `RUBE_MULTI_EXECUTE_TOOL` which allows executing tools by `tool_slug` and `arguments`. While the skill recommends discovering tools first via `RUBE_SEARCH_TOOLS`, an LLM could be prompted to bypass this recommendation and call `RUBE_MULTI_EXECUTE_TOOL` with arbitrary `tool_slug`s and `arguments`. If the underlying Rube MCP provides access to tools beyond the intended Botstar scope (e.g., filesystem access, network requests, or system commands), or if Botstar tools themselves have dangerous capabilities, this could lead to unauthorized actions, data exfiltration, or command injection. Implement strict allow-listing or sandboxing of `tool_slug`s and `arguments` that can be passed to `RUBE_MULTI_EXECUTE_TOOL`. Ensure the Rube MCP environment is sandboxed and only exposes necessary tools with least privilege. The LLM's internal logic should enforce the `RUBE_SEARCH_TOOLS` discovery step and validate `tool_slug`s and `arguments` against the discovered schema before execution. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/1f4eba007ef594fd)
Powered by SkillShield