Security Audit
nocrm-io-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
nocrm-io-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned External MCP Dependency, Potential Command Injection via RUBE_REMOTE_WORKBENCH, Indirect Prompt Injection via Dynamic Tool Schemas/Execution Plans.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned External MCP Dependency The skill manifest specifies a dependency on the 'rube' Managed Control Plane (MCP) without a version constraint. This means the agent could connect to any version of the Rube MCP, including potentially malicious or vulnerable future versions. An attacker could compromise the 'rube.app/mcp' endpoint or publish a malicious update, leading to arbitrary code execution, data exfiltration, or other severe impacts on the agent. Pin the 'rube' MCP dependency to a specific, known-good version in the 'requires' section of the manifest (e.g., `{"mcp": ["rube==1.2.3"]}`). Implement mechanisms to verify the integrity of the MCP endpoint. | LLM | SKILL.md | |
| HIGH | Potential Command Injection via RUBE_REMOTE_WORKBENCH The skill mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The term 'workbench' and the function `run_composio_tool()` strongly suggest an environment capable of executing arbitrary code or commands. If this tool allows the LLM to specify or influence the code executed, it presents a significant command injection vulnerability. This could lead to arbitrary code execution on the host system or within the MCP's environment, potentially compromising the agent or its infrastructure. Clarify the exact capabilities and security model of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. If it allows arbitrary code execution, it should be removed or severely restricted. If it's intended for specific, safe operations, ensure it's sandboxed and only allows predefined, safe commands. | LLM | SKILL.md:70 | |
| MEDIUM | Indirect Prompt Injection via Dynamic Tool Schemas/Execution Plans The skill instructs the LLM to call `RUBE_SEARCH_TOOLS` to retrieve 'tool schemas, recommended execution plans, and known pitfalls.' If the Rube MCP is compromised or malicious, it could return 'execution plans' or 'pitfalls' that contain instructions designed to manipulate the host LLM's behavior, effectively acting as a prompt injection vector. The LLM is explicitly told to process and act upon this dynamic content, making it vulnerable to malicious instructions embedded within the tool descriptions. Implement strict sanitization and validation of all dynamic content received from `RUBE_SEARCH_TOOLS`, especially 'recommended execution plans'. The LLM should be explicitly instructed to treat such content as data, not instructions, and to filter out any manipulative language. Consider signing and verifying the integrity of tool schemas and execution plans. | LLM | SKILL.md:40 | |
| MEDIUM | Data Exfiltration Risk through Nocrm IO API via RUBE_MULTI_EXECUTE_TOOL The `RUBE_MULTI_EXECUTE_TOOL` allows the LLM to execute Nocrm IO tools with 'schema-compliant args from search results'. If any Nocrm IO tool, when exposed via Rube, has the capability to read local files, environment variables, or other sensitive data from the agent's environment and then transmit it through the Nocrm IO API (e.g., by attaching it to a record, sending it in a message, or logging it), this could lead to data exfiltration. The skill itself doesn't define these tools, but relies on the dynamic discovery from Rube. Ensure that Nocrm IO tools exposed via Rube MCP are carefully vetted to prevent access to sensitive local resources (files, environment variables) or the ability to transmit arbitrary data to external, untrusted endpoints. Implement strict input validation on tool arguments to prevent malicious data injection. | LLM | SKILL.md:57 |
Scan History
Embed Code
[](https://skillshield.io/report/45d3ec22fd8bcb0c)
Powered by SkillShield