Security Audit

onedesk-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

onedesk-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Prompt Injection via RUBE_SEARCH_TOOLS 'use_case' parameter, Potential Command/Code Injection via RUBE_REMOTE_WORKBENCH, Potential Command/Code Injection via RUBE_MULTI_EXECUTE_TOOL arguments.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

10%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

4 findings

Dynamic Code

4 findings

Excessive Permissions

1 finding

Security Findings4

Severity	Finding	Layer	Location
CRITICAL	Prompt Injection via RUBE_SEARCH_TOOLS 'use_case' parameter The `RUBE_SEARCH_TOOLS` function accepts a `use_case` parameter, which is intended for natural language input to describe the desired operation. If this input is directly processed by an underlying Large Language Model (LLM) without proper sanitization or instruction-following safeguards, an attacker could inject malicious prompts. This could lead to the LLM performing unintended actions, revealing sensitive information, or generating harmful content. Implement robust input validation and sanitization for all natural language inputs, especially those fed to LLMs. Use strict instruction-following techniques (e.g., few-shot examples, XML/JSON tags) to constrain LLM behavior. Ensure the LLM operates within a tightly sandboxed environment with minimal permissions.	LLM	SKILL.md:28
CRITICAL	Potential Command/Code Injection via RUBE_REMOTE_WORKBENCH The skill mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. The term 'workbench' and the function name `run_composio_tool()` strongly suggest that this tool allows for the execution of arbitrary code or commands. If the arguments or instructions passed to `RUBE_REMOTE_WORKBENCH` are user-controlled and not rigorously validated and sandboxed, it could lead to critical command or code injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system or connected services. Ensure that `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()` operate within a highly restricted and sandboxed environment. Implement strict allow-listing for commands and arguments, disallowing any arbitrary code execution. All inputs must be thoroughly validated against a strict schema, and any dynamic execution should be prevented or severely limited.	LLM	SKILL.md:80
HIGH	Potential Command/Code Injection via RUBE_MULTI_EXECUTE_TOOL arguments The `RUBE_MULTI_EXECUTE_TOOL` function allows executing tools with `arguments` that are described as 'schema-compliant'. While schema compliance implies some validation, if the underlying tool schemas permit arguments that are later interpreted as shell commands, script paths, or code snippets (e.g., through `eval` or `subprocess` calls), an attacker could craft malicious inputs. This could lead to command or code injection, allowing unauthorized operations on the system or connected services. Review all tool schemas used by `RUBE_MULTI_EXECUTE_TOOL` to ensure that no arguments can be interpreted as executable code or commands. Implement strict type checking and content validation for all arguments. If dynamic execution is necessary, ensure it is done in a highly sandboxed environment with minimal privileges and strict allow-listing of operations.	LLM	SKILL.md:58
HIGH	Excessive Permissions granted by Rube MCP integration The skill integrates with Rube MCP, which provides powerful capabilities including tool discovery (`RUBE_SEARCH_TOOLS`), connection management (`RUBE_MANAGE_CONNECTIONS`), multi-tool execution (`RUBE_MULTI_EXECUTE_TOOL`), and a remote workbench (`RUBE_REMOTE_WORKBENCH`). This broad set of functionalities, especially the ability to execute multiple tools and potentially arbitrary code via the workbench, grants significant permissions to the skill. If any of these tools are exploited (e.g., via injection), the extensive permissions could lead to severe consequences, including data exfiltration, unauthorized system access, or service disruption. Implement a principle of least privilege for all integrated tools and the Rube MCP system itself. Carefully review and restrict the scope of operations that Rube MCP tools can perform. Ensure that each tool's permissions are narrowly defined and that the overall system is designed with strong isolation and access controls to limit the blast radius of any potential compromise.	LLM	Manifest:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/17d26f0ffe42be6e.svg)](https://skillshield.io/report/17d26f0ffe42be6e)