Security Audit
certifier-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
certifier-automation received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill grants broad, dynamic tool execution capabilities via Rube MCP, Unpinned dependency in manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill grants broad, dynamic tool execution capabilities via Rube MCP The `certifier-automation` skill provides the AI agent with access to Rube MCP tools such as `RUBE_MULTI_EXECUTE_TOOL` and `RUBE_REMOTE_WORKBENCH` (which includes `run_composio_tool()`). Crucially, it instructs the agent to dynamically discover available tools using `RUBE_SEARCH_TOOLS` before execution. This design allows the LLM to discover and execute a potentially wide range of 'Certifier operations' without explicit constraints defined within the skill's static configuration. The actual scope and impact of these operations are determined by the Rube MCP system and the 'Certifier' toolkit, which could include sensitive data access, modifications, or even destructive actions on external systems. This broad, dynamic access to external execution capabilities represents an excessive permission scope for an AI agent, increasing the risk of unintended or malicious actions if the agent is compromised or misinterprets instructions. Implement stricter access controls and scope limitations within the Rube MCP system for the 'Certifier' toolkit. If possible, define a more constrained and explicit set of allowed `tool_slug` values or argument schemas within the skill's manifest or configuration, rather than relying solely on dynamic discovery. Ensure that the Rube MCP system itself has robust security measures, including input validation, authorization, and auditing, especially for `RUBE_MULTI_EXECUTE_TOOL` and `RUBE_REMOTE_WORKBENCH` to prevent command injection or unauthorized actions. Provide clearer documentation on the specific capabilities and potential impact of 'Certifier operations' to allow for better risk assessment. | LLM | SKILL.md:37 | |
| INFO | Unpinned dependency in manifest The skill's manifest declares a dependency on `mcp: ['rube']` without specifying a precise version or version range. This lack of version pinning can lead to unpredictable behavior, compatibility issues, or introduce vulnerabilities if a new, incompatible, or potentially malicious version of the `rube` MCP is introduced into the environment. Relying on the latest available version without explicit control increases supply chain risk. Specify a precise version or version range for the `rube` dependency in the manifest to ensure consistent and secure behavior. For example, `"mcp": ["rube==1.2.3"]` for an exact version or `"mcp": ["rube>=1.2.3,<2.0.0"]` for a compatible range. | LLM | manifest |
Scan History
Embed Code
[](https://skillshield.io/report/815b443686312c20)
Powered by SkillShield