Trust Assessment
cal-automation received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Dynamic Tool Discovery and Execution Grants Broad Permissions, Reliance on External Dynamic Tool Definitions from Rube MCP.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Dynamic Tool Discovery and Execution Grants Broad Permissions The skill instructs the LLM to dynamically discover tools using `RUBE_SEARCH_TOOLS` and then execute them via `RUBE_MULTI_EXECUTE_TOOL` or `RUBE_REMOTE_WORKBENCH`. This pattern grants the LLM broad, potentially unconstrained, access to any functionality exposed by the `cal` toolkit through Rube MCP. The LLM is encouraged to 'discover available tools before executing workflows' and warned 'Never hardcode tool slugs or arguments without calling `RUBE_SEARCH_TOOLS`', reinforcing this dynamic and broad access. This could lead to unintended actions (e.g., deleting events, sharing private data) or access to sensitive data if the underlying `cal` tools have broad permissions and the LLM is not sufficiently constrained. Implement stricter controls on the types of tools the LLM can discover and execute. Instead of broad `RUBE_SEARCH_TOOLS` queries, provide a curated list of allowed tool slugs or specific use cases. Ensure that the `cal` toolkit itself adheres to the principle of least privilege, and that the LLM's execution environment has appropriate guardrails to prevent misuse of powerful tools. | LLM | SKILL.md:28 | |
| HIGH | Reliance on External Dynamic Tool Definitions from Rube MCP The skill explicitly relies on `https://rube.app/mcp` for its core functionality, including dynamic tool discovery (`RUBE_SEARCH_TOOLS`) and execution. The instruction 'Tool schemas change. Never hardcode tool slugs or arguments without calling `RUBE_SEARCH_TOOLS`' means the skill's behavior is entirely dependent on the definitions provided by the external Rube MCP service at runtime. If `rube.app` were compromised or became malicious, it could serve altered or malicious tool definitions, leading the LLM to execute arbitrary, harmful operations. This introduces a significant supply chain risk as the integrity of the skill's execution path is tied to an external, dynamically queried endpoint. Implement mechanisms to verify the integrity and authenticity of tool definitions retrieved from `rube.app`. Consider pinning to specific versions of tool schemas or using a trusted proxy/cache for tool definitions. Evaluate the security posture of `rube.app` and Composio to understand the risk associated with this external dependency. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/5a67e85a026b8110)
Powered by SkillShield