Security Audit

cloudconvert-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 99e2a2951545

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cloudconvert-automation received a trust score of 93/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Skill grants broad Rube MCP access beyond stated Cloudconvert scope.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Skill grants broad Rube MCP access beyond stated Cloudconvert scope The skill's manifest requires `mcp: ["rube"]`, granting access to all tools within the Rube MCP. While the skill's name ('cloudconvert-automation') and primary documentation focus on Cloudconvert operations, it explicitly mentions and suggests the use of `RUBE_REMOTE_WORKBENCH` for 'Bulk ops' and `run_composio_tool()`. If `RUBE_REMOTE_WORKBENCH` allows execution of arbitrary Composio tools (not strictly limited to Cloudconvert), this grants the skill permissions far exceeding its stated purpose, potentially allowing interaction with other connected toolkits or systems without explicit user intent for those systems. If the skill is strictly intended for Cloudconvert, consider if `RUBE_REMOTE_WORKBENCH` is truly necessary. If it is, ensure its usage is strictly scoped to Cloudconvert operations within the skill's logic, or clarify its broader capabilities and potential access to other toolkits. If the Rube MCP supports more granular permissions, refine the `requires` in the manifest (e.g., `mcp: ["rube:cloudconvert"]`) to limit access only to the necessary toolkit.	Static	SKILL.md:101

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ac0f7f6aee726137.svg)](https://skillshield.io/report/ac0f7f6aee726137)