Security Audit
klipfolio-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
klipfolio-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned External MCP Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned External MCP Dependency The skill explicitly depends on an external Managed Control Plane (MCP) at `https://rube.app/mcp` as indicated in the manifest (`requires: {"mcp": ["rube"]}`) and the `SKILL.md` setup instructions. This dependency is unpinned, meaning no specific version or integrity check (e.g., hash) is specified. This introduces a supply chain risk where changes to the external MCP service, whether malicious or accidental, could directly impact the skill's functionality and security without the user's explicit consent or awareness. A compromised `rube.app/mcp` could lead to arbitrary code execution or data manipulation through the tools it provides. If possible, specify a version or a cryptographic hash for the `rube` MCP endpoint to ensure deterministic behavior and integrity. Alternatively, consider using a trusted, self-hosted instance of the MCP or a version-controlled proxy. Users should be made aware of the inherent trust placed in the `rube.app/mcp` provider. | Static | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/5e60cab8494d6b37)
Powered by SkillShield