Security Audit

evenium-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

evenium-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Arbitrary Code Execution via RUBE_REMOTE_WORKBENCH, Broad Access to Rube MCP Tools, Data Exfiltration Risk via RUBE_REMOTE_WORKBENCH.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

4 findings

Dynamic Code

4 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Arbitrary Code Execution via RUBE_REMOTE_WORKBENCH The skill explicitly lists `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` as an approach for 'Bulk ops'. The term 'workbench' and the function `run_composio_tool()` strongly suggest the capability to execute arbitrary code or commands within the Rube MCP environment. If the LLM can be prompted to use this tool with malicious code, it could lead to critical command injection, allowing an attacker to execute arbitrary commands on the underlying system where Rube MCP operates or where the Composio tools are run. 1. Restrict `RUBE_REMOTE_WORKBENCH`: If `RUBE_REMOTE_WORKBENCH` indeed allows arbitrary code execution, it should not be exposed to the LLM or should be heavily restricted to a safe subset of operations. 2. Sandbox Execution: Ensure that any code executed via `run_composio_tool()` operates within a strictly sandboxed environment with minimal permissions and no network access to sensitive internal resources. 3. Input Validation: Implement rigorous input validation and sanitization for any arguments passed to `run_composio_tool()` to prevent injection of malicious commands or code. 4. Least Privilege: Re-evaluate if 'Bulk ops' truly requires arbitrary code execution or if specific, pre-defined, and safe bulk operations can be exposed instead.	LLM	SKILL.md:68
HIGH	Broad Access to Rube MCP Tools The skill instructs the LLM to use `RUBE_SEARCH_TOOLS` to discover available tools and then `RUBE_MULTI_EXECUTE_TOOL` to execute any discovered tool. This grants the LLM broad access to all Evenium operations exposed via Rube MCP. While the skill emphasizes schema compliance, it doesn't define any restrictions on which tools can be executed or what scope of operations they cover. This broad access, especially when combined with the potential for arbitrary code execution via `RUBE_REMOTE_WORKBENCH`, increases the attack surface and the potential impact of a successful prompt injection or other exploit. 1. Principle of Least Privilege: Limit the set of tools discoverable and executable by the LLM to only those strictly necessary for the skill's intended purpose. 2. Role-Based Access Control: Implement granular access controls within Rube MCP to restrict the permissions of the Evenium tools accessible through this skill. 3. Contextual Restrictions: Introduce mechanisms to restrict tool execution based on the current user context or specific workflow requirements, rather than allowing arbitrary tool execution.	LLM	SKILL.md:40
HIGH	Data Exfiltration Risk via RUBE_REMOTE_WORKBENCH If `RUBE_REMOTE_WORKBENCH` allows arbitrary code execution (as suggested by its name and `run_composio_tool()`), an attacker could craft malicious code to read sensitive data (e.g., environment variables, temporary files, data processed by other Composio tools) from the execution environment and exfiltrate it to an external server. This is a direct consequence of the command injection vulnerability. 1. Address Command Injection: The primary remediation is to mitigate the command injection risk associated with `RUBE_REMOTE_WORKBENCH`. 2. Network Isolation: Ensure the execution environment for `RUBE_REMOTE_WORKBENCH` has no outbound network access, or only to explicitly whitelisted, secure endpoints. 3. Data Sandboxing: Isolate the data accessible within the `RUBE_REMOTE_WORKBENCH` environment, preventing access to sensitive data not directly related to the task.	LLM	SKILL.md:68
HIGH	Potential Prompt Injection via `use_case` Parameter The skill instructs the LLM to use `RUBE_SEARCH_TOOLS` with a `use_case` parameter, which is a free-form text field (e.g., "your specific Evenium task"). If a malicious user can inject instructions into this `use_case` string, the LLM might interpret these as new instructions, potentially overriding its original goals, revealing sensitive information, or performing unintended actions. This is a common vector for prompt injection attacks in LLM-powered agents. 1. Strict Input Sanitization: Implement robust input validation and sanitization for the `use_case` parameter to filter out or escape any potentially malicious instructions or keywords. 2. LLM Guardrails: Configure the host LLM with strong guardrails and safety policies to detect and reject attempts to manipulate its instructions or extract sensitive information. 3. Contextual Filtering: Analyze the `use_case` in the context of the allowed operations and reject requests that deviate significantly from the expected intent. 4. Separate Instruction from Data: Ensure the LLM clearly distinguishes between user-provided data (like `use_case`) and its own internal instructions, preventing data from being interpreted as commands.	LLM	SKILL.md:35
MEDIUM	Indirect Credential Exposure Risk The skill instructs the LLM to use `RUBE_MANAGE_CONNECTIONS` and mentions following an "auth link to complete setup" if a connection is not active. This implies that the Evenium connection involves credentials (e.g., API keys, OAuth tokens) managed by Rube MCP. While the skill itself doesn't directly harvest credentials, if the `RUBE_MANAGE_CONNECTIONS` tool or other Rube tools were to expose these credentials (e.g., in logs, error messages, or through a misconfigured API), or if a malicious prompt could trick the LLM into revealing information about the connection process or status that contains sensitive parts of the auth link, it could lead to credential exposure. 1. Secure Credential Handling: Ensure Rube MCP and its tools handle credentials securely, never exposing them in plain text, logs, or API responses. 2. LLM Output Filtering: Implement strict filtering and sanitization of LLM outputs, especially when interacting with tools that manage sensitive information like connection details or authentication links, to prevent accidental leakage. 3. Ephemeral Credentials: Where possible, use short-lived, ephemeral credentials or tokens that minimize the window of exposure.	LLM	SKILL.md:28

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cb43c50942add673.svg)](https://skillshield.io/report/cb43c50942add673)