Security Audit
Gumroad Automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
Gumroad Automation received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Data Exfiltration via Arbitrary Webhook URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Data Exfiltration via Arbitrary Webhook URL The `GUMROAD_SUBSCRIBE_TO_RESOURCE` tool allows the agent to subscribe to Gumroad events and specify an arbitrary `post_url`. An attacker who can control the agent's prompts could instruct it to set up webhooks to an attacker-controlled server. This would lead to the exfiltration of sensitive Gumroad event data (e.g., sales, refunds, customer information, product details) to an unauthorized third party, bypassing typical data access controls. Implement strict validation or whitelisting for `post_url` parameters to restrict webhook destinations to trusted domains. Consider requiring explicit user confirmation or an out-of-band approval process for webhook subscriptions to new or untrusted domains. Add a prominent security warning in the documentation regarding the risks of providing untrusted URLs for webhooks. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/2fcd48e78c296f5d)
Powered by SkillShield