Security Audit
gatherup-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
gatherup-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Skill enables broad tool execution via Rube Remote Workbench.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill enables broad tool execution via Rube Remote Workbench The skill documentation explicitly mentions and provides an example for using `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()`. This allows the AI agent to execute arbitrary Composio tools available through the Rube MCP, potentially granting access beyond the specific 'Gatherup' context. While this is an intended feature of the Rube MCP, it represents a broad permission that an agent could leverage for unintended operations if not carefully constrained. Consider if the `RUBE_REMOTE_WORKBENCH` tool is strictly necessary for the skill's intended purpose of 'Gatherup Automation'. If not, remove its mention to reduce the scope of agent capabilities. If necessary, ensure the host LLM or orchestrator applies strict input validation and access controls when `RUBE_REMOTE_WORKBENCH` is invoked, especially for the `run_composio_tool()` function, to prevent arbitrary tool execution. | LLM | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/0f1e841bba0a34cb)
Powered by SkillShield