Security Audit
callpage-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
callpage-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential for arbitrary code execution via RUBE_REMOTE_WORKBENCH, Potential for data exfiltration via RUBE_REMOTE_WORKBENCH, Broad tool execution capabilities via RUBE_MULTI_EXECUTE_TOOL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential for arbitrary code execution via RUBE_REMOTE_WORKBENCH The skill documentation explicitly mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()`. A 'workbench' typically implies an environment where arbitrary code or commands can be executed. If `run_composio_tool()` allows for unconstrained execution, this presents a critical command injection vulnerability, enabling an attacker to run arbitrary code on the host system or within the agent's environment. This also represents an excessive permission as it grants broad execution capabilities. Implement strict sandboxing and whitelisting for `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Ensure only explicitly approved and safe operations can be performed. Avoid allowing arbitrary code execution. | LLM | SKILL.md:70 | |
| HIGH | Potential for data exfiltration via RUBE_REMOTE_WORKBENCH The `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()`, if capable of arbitrary code execution (as suggested by its name and function), could be exploited to read sensitive files, environment variables, or network data and exfiltrate them to an external attacker-controlled endpoint. This is a direct consequence of the potential command injection vulnerability. As with command injection, strictly sandbox the workbench environment. Prevent network egress to untrusted destinations and restrict file system access. Implement data loss prevention (DLP) mechanisms. | LLM | SKILL.md:70 | |
| HIGH | Broad tool execution capabilities via RUBE_MULTI_EXECUTE_TOOL The skill uses `RUBE_MULTI_EXECUTE_TOOL` which allows the agent to dynamically execute any tool discovered via `RUBE_SEARCH_TOOLS`. This grants broad permissions to the agent. If the underlying `callpage` toolkit contains tools with sensitive or destructive capabilities (e.g., deleting data, modifying critical configurations), an attacker could craft a prompt to instruct the agent to execute these tools, leading to unauthorized actions. The dynamic nature of tool discovery and execution increases the risk. Implement fine-grained access control for individual tools within the `callpage` toolkit. Require explicit user confirmation or whitelisting for high-risk operations. Consider limiting the scope of tools available to the agent or requiring human-in-the-loop for sensitive actions. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/a0499b28e3dc86fa)
Powered by SkillShield