Trust Assessment
moco-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Broad Tool Execution via RUBE_REMOTE_WORKBENCH.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Tool Execution via RUBE_REMOTE_WORKBENCH The skill's documentation indicates the use of `RUBE_REMOTE_WORKBENCH` for 'Bulk ops' with the capability to `run_composio_tool()`. This implies the ability to execute arbitrary tools within the broader Composio ecosystem, not just those specifically related to Moco. This grants the skill excessive permissions beyond its stated purpose of 'Moco Automation'. This also introduces a significant supply chain risk, as the security of this skill becomes dependent on the trustworthiness and security of all tools available through the Composio platform via `rube.app/mcp`. A compromised or malicious Composio tool could be executed through this mechanism, leading to unauthorized actions or data exfiltration. Restrict the capabilities of `RUBE_REMOTE_WORKBENCH` to only Moco-specific operations or remove its availability if not strictly necessary for Moco automation. Alternatively, implement a strict allowlist of Composio tools that `RUBE_REMOTE_WORKBENCH` is permitted to execute, ensuring they are vetted and scoped appropriately. | LLM | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/1e653b4d674cd3de)
Powered by SkillShield