Security Audit
fillout_forms-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
fillout_forms-automation received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Broad access to Fillout operations and potential arbitrary code execution, Unpinned Rube MCP dependency, Reliance on external workbench for code execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad access to Fillout operations and potential arbitrary code execution The skill provides the LLM with extensive capabilities to manage Fillout resources (forms, submissions, workflows, form builder) through `RUBE_MULTI_EXECUTE_TOOL`. Furthermore, the `RUBE_REMOTE_WORKBENCH` tool, when used with `run_composio_tool()` and `ThreadPoolExecutor`, implies the ability to execute arbitrary code within the Rube MCP environment. This grants the LLM significant control over the connected Fillout account and potentially the execution environment, posing a high risk if the LLM is compromised or misused. Ensure strict access controls and monitoring are in place for the LLM's interactions with this skill. Implement robust sandboxing for `RUBE_REMOTE_WORKBENCH` to prevent privilege escalation or unauthorized access to the underlying system. Carefully review and limit the scope of Fillout tools exposed to the LLM if full automation is not strictly required. | Static | SKILL.md:60 | |
| MEDIUM | Unpinned Rube MCP dependency The skill's manifest specifies a dependency on the `rube` MCP (`"mcp": ["rube"]`) without a specific version. This 'unpinned' dependency means that the system could potentially fetch any version of `rube` MCP, including a malicious or vulnerable one, if not explicitly managed by the platform. This introduces a supply chain risk where a compromise of the `rube` MCP distribution channel could lead to the injection of malicious code. Pin the `rube` MCP dependency to a specific, known-good version (e.g., `"mcp": ["rube@1.2.3"]`) to ensure deterministic and secure dependency resolution. Regularly review and update pinned versions. | Static | Manifest (frontmatter JSON):1 | |
| MEDIUM | Reliance on external workbench for code execution The skill instructs the LLM to use `RUBE_REMOTE_WORKBENCH` for 'bulk operations or data processing' by executing `run_composio_tool()` in a loop with `ThreadPoolExecutor`. This implies that the Rube MCP provides an environment for arbitrary code execution. If this workbench environment is not adequately sandboxed, or if the inputs to `run_composio_tool()` are not rigorously validated and sanitized, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system or within the Rube MCP infrastructure. The risk lies in the external dependency's implementation. The Rube MCP provider should ensure robust sandboxing and input validation for `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Skill developers should be aware of the power of this tool and use it with extreme caution, ensuring that any data passed to it originates from trusted sources and is thoroughly sanitized. | Static | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/e87cfff6cdd9bcc9)
Powered by SkillShield