Security Audit
certifier-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
certifier-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned MCP dependency, Potential arbitrary code execution via RUBE_REMOTE_WORKBENCH, Broad connection management permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential arbitrary code execution via RUBE_REMOTE_WORKBENCH The skill documentation mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The term 'workbench' and the ability to run a 'tool' within it strongly suggest a capability for executing arbitrary code or complex, potentially unconstrained operations. If `run_composio_tool()` can be manipulated to execute arbitrary commands or scripts, this poses a critical command injection vulnerability. The lack of explicit details on its security model, sandboxing, or input validation is a significant concern. Provide explicit documentation on the security model and sandboxing of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Restrict its capabilities to only safe, predefined operations, or remove it if not strictly necessary. Ensure all inputs are rigorously validated and sanitized to prevent command injection. | LLM | SKILL.md:91 | |
| HIGH | Unpinned MCP dependency The skill manifest specifies a dependency on the 'rube' MCP without a version constraint. This could lead to unexpected behavior, breaking changes, or security vulnerabilities if a malicious or incompatible version of 'rube' is introduced. Without version pinning, the skill is susceptible to supply chain attacks if the 'rube' MCP is compromised or altered. Pin the 'rube' MCP dependency to a specific, known-good version (e.g., `{"mcp": ["rube@1.2.3"]}`) or a well-defined version range to mitigate risks from unvetted updates. | LLM | SKILL.md:1 | |
| HIGH | Broad connection management permissions The `RUBE_MANAGE_CONNECTIONS` tool allows the LLM to manage connections for the `certifier` toolkit. This includes establishing new connections or potentially revoking existing ones. If an attacker can manipulate the LLM to call this tool with malicious parameters, it could lead to unauthorized access to external services, disruption of legitimate operations, or credential exposure if connection details are mishandled. Implement strict access controls and user consent mechanisms for `RUBE_MANAGE_CONNECTIONS`. Ensure that connection establishment requires explicit user approval, especially for sensitive integrations. Limit the scope of connections that can be managed by the LLM to only those strictly necessary for the skill's intended function. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/c1981bfd21942d79)
Powered by SkillShield