Security Audit
Gumroad Automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
Gumroad Automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Webhook subscription allows data exfiltration to arbitrary URLs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Webhook subscription allows data exfiltration to arbitrary URLs The `GUMROAD_SUBSCRIBE_TO_RESOURCE` tool, as described, allows users to specify an arbitrary `post_url` for receiving Gumroad event notifications. This capability can be abused by a malicious actor or through a prompt injection attack to exfiltrate sensitive Gumroad data (e.g., sales, refunds, customer information) to an attacker-controlled endpoint. There are no apparent restrictions or validations on the provided URL. Implement a whitelist or allowlist for `post_url` domains, or require explicit user confirmation for subscriptions to untrusted URLs. If possible, restrict webhook subscriptions to only trusted, pre-configured endpoints or domains. Provide clear warnings to users about the security implications of subscribing to arbitrary URLs. | LLM | SKILL.md:67 |
Scan History
Embed Code
[](https://skillshield.io/report/99874a8782fdd214)
Powered by SkillShield