Security Audit

Lever Automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 99e2a2951545

TRUSTED

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Lever Automation received a trust score of 98/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 0 medium, and 1 low severity. Key findings include Skill enables powerful write and delete operations on sensitive data, Unpinned dependency in skill manifest.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Filesystem Write

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
LOW	Skill enables powerful write and delete operations on sensitive data The skill provides tools such as `LEVER_UPDATE_REQUISITION` and `LEVER_DELETE_REQUISITION` which allow for modification and permanent deletion of critical recruiting data within Lever ATS. While these are intended functionalities for an automation skill, granting broad API permissions to the underlying Composio Lever integration could lead to significant data integrity risks if the integration is compromised or misused. The documentation correctly advises users to ensure their API key has sufficient scopes, but the inherent power of these tools warrants attention. Users should adhere strictly to the principle of least privilege when configuring API access for the Composio Lever integration. Grant only the minimum necessary scopes required for the intended automation tasks. Regularly review and audit granted permissions to prevent unauthorized data manipulation or deletion.	LLM	SKILL.md:70
INFO	Unpinned dependency in skill manifest The skill manifest declares a dependency on `rube` within the `mcp` ecosystem (`"requires": {"mcp": ["rube"]}`). The lack of a specified version (i.e., an unpinned dependency) means that the skill could potentially load any version of `rube`, including future versions that might introduce breaking changes, vulnerabilities, or malicious code. This introduces a supply chain risk as the integrity and behavior of the `rube` component are not locked down. Specify a precise version or version range for the `rube` dependency in the skill manifest to ensure deterministic behavior and mitigate risks from unexpected updates or malicious changes to the dependency. Conduct a thorough security review of all third-party dependencies.	LLM	SKILL.md

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a3354825bfda745d.svg)](https://skillshield.io/report/a3354825bfda745d)