Security Audit
nextdns-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
nextdns-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection / Excessive Permissions via RUBE_REMOTE_WORKBENCH, Supply Chain Risk: Unpinned Dependencies, Potential Data Exfiltration / Excessive Permissions via RUBE_MULTI_EXECUTE_TOOL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection / Excessive Permissions via RUBE_REMOTE_WORKBENCH The skill describes using `RUBE_REMOTE_WORKBENCH` for 'Bulk ops' with `run_composio_tool()`. The term 'workbench' and the function `run_composio_tool()` strongly suggest an environment capable of executing arbitrary code or complex operations. If this execution environment is not strictly sandboxed and limited, it could be exploited for command injection, allowing an attacker to execute arbitrary system commands or unconstrained code, leading to full system compromise or data exfiltration. Clarify the exact capabilities and sandboxing of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Ensure that this tool cannot execute arbitrary system commands, access unauthorized file system paths, or communicate with untrusted external services. If code execution is intended, it must be within a highly restricted, isolated, and audited environment. | LLM | SKILL.md:70 | |
| HIGH | Supply Chain Risk: Unpinned Dependencies The skill's manifest specifies a dependency on 'rube' (`'mcp': ['rube']`) and the skill body refers to the 'nextdns' toolkit without specifying any version constraints. This lack of version pinning means that any future updates to the 'rube' MCP or the 'nextdns' toolkit could introduce vulnerabilities, breaking changes, or malicious code without explicit review, posing a significant supply chain risk to the agent using this skill. Pin dependencies to specific versions or version ranges (e.g., `rube==1.2.3` or `rube>=1.0,<2.0`) in the manifest. This ensures stability and allows for controlled security review of updates before they are automatically incorporated. | LLM | Manifest / SKILL.md:20 | |
| MEDIUM | Potential Data Exfiltration / Excessive Permissions via RUBE_MULTI_EXECUTE_TOOL The `RUBE_MULTI_EXECUTE_TOOL` allows the execution of 'Nextdns operations'. While Nextdns operations are specific to DNS management, the skill does not define or limit the scope of these operations. If any of the underlying Nextdns tools exposed through this interface allow for reading sensitive DNS configurations, logs, or forwarding data to arbitrary external endpoints, it could be exploited for data exfiltration. The broad nature of 'Nextdns operations' without explicit constraints presents a risk of excessive permissions. Clearly define and limit the scope of operations available through `RUBE_MULTI_EXECUTE_TOOL`. Ensure that the exposed Nextdns tools do not have capabilities for arbitrary data export, access to overly sensitive system information, or communication with untrusted external services. Implement strict input validation and output sanitization for all tool arguments and results. | LLM | SKILL.md:55 |
Scan History
Embed Code
[](https://skillshield.io/report/872af8d32055d1a1)
Powered by SkillShield