Security Audit

givebutter-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

givebutter-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Broad access to Givebutter operations via Rube MCP.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Broad access to Givebutter operations via Rube MCP The skill is designed to 'Automate Givebutter tasks' and leverages Rube MCP's generic execution tools (`RUBE_MULTI_EXECUTE_TOOL`, `RUBE_REMOTE_WORKBENCH`) to perform these operations. This implies that once the `givebutter` toolkit connection is authorized via `RUBE_MANAGE_CONNECTIONS`, the skill gains comprehensive access to the Givebutter platform. While this may be the intended functionality for a general automation skill, it means the skill operates with a broad scope of permissions, potentially exceeding the least privilege principle for specific, limited tasks. Any compromise of the skill or misuse could lead to extensive unauthorized actions on the Givebutter account. Implement granular authorization scopes for the Givebutter connection if the underlying Rube MCP and Givebutter API support it. Encourage users to review the exact permissions granted during the `RUBE_MANAGE_CONNECTIONS` step. For specific tasks, consider creating more narrowly scoped skills or tools that only expose the necessary Givebutter API endpoints.	LLM	SKILL.md:5

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f92d15bb376907e2.svg)](https://skillshield.io/report/f92d15bb376907e2)