Security Audit

pdfless-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pdfless-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 4 high, 1 medium, and 0 low severity. Key findings include Prompt Injection via RUBE_SEARCH_TOOLS queries, Potential Injection via RUBE_MULTI_EXECUTE_TOOL arguments, Command Injection Risk via RUBE_REMOTE_WORKBENCH.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

33%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

5 findings

Dynamic Code

5 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
HIGH	Prompt Injection via RUBE_SEARCH_TOOLS queries The `use_case` and `known_fields` parameters in `RUBE_SEARCH_TOOLS` are intended for natural language queries. If these fields are populated directly from untrusted user input without sanitization, an attacker could inject malicious instructions or manipulate the tool's behavior, leading to biased or harmful tool discovery results. This could influence subsequent tool execution decisions by the LLM. Implement strict input validation and sanitization for `use_case` and `known_fields` parameters, ensuring they only contain expected natural language phrases and cannot be used to inject commands or manipulate the underlying LLM/tool. Consider using allow-lists or robust escaping mechanisms.	LLM	SKILL.md:39
HIGH	Command Injection Risk via RUBE_REMOTE_WORKBENCH The mention of `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` suggests a powerful execution capability. If an attacker can control the `tool_slug` or `arguments` passed to `run_composio_tool()`, and if the underlying Composio tools execute system commands or arbitrary code without proper sandboxing and validation, it could lead to command injection, allowing unauthorized system access or data manipulation. Implement strict access control and input validation for `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()`. Ensure that only authorized tools can be executed and that all arguments are thoroughly sanitized and validated to prevent arbitrary command execution. Tools executed via this mechanism should operate within a highly restricted and sandboxed environment.	LLM	SKILL.md:85
HIGH	Excessive Permissions due to broad tool access The skill provides broad access to 'Pdfless operations' through dynamic tool discovery and execution via Rube MCP. The ability to execute any discovered tool (`RUBE_MULTI_EXECUTE_TOOL`) and the mention of `RUBE_REMOTE_WORKBENCH` for `run_composio_tool()` indicate a highly privileged execution environment. Without granular access controls, strict input validation, and robust sandboxing, this broad access could be exploited to perform unauthorized actions, potentially impacting the entire system or sensitive data. Implement fine-grained access control policies for individual Pdfless tools and operations. Ensure that the LLM agent's permissions are minimized to only what is necessary for its intended function. All tool executions should be sandboxed, and any sensitive operations should require explicit user confirmation or additional authentication.	LLM	SKILL.md:3
HIGH	Supply Chain Risk from dynamic tool schema loading The instruction to 'Always call `RUBE_SEARCH_TOOLS` first to get current tool schemas' implies dynamic loading of tool definitions from an external source (`https://rube.app/mcp`). If the Rube MCP service is compromised or serves malicious tool schemas, the skill could be instructed to execute arbitrary, harmful operations. This introduces a dynamic supply chain risk where the integrity of the skill's behavior depends on the trustworthiness of the external MCP service at runtime. Implement mechanisms to verify the integrity and authenticity of tool schemas retrieved from `RUBE_SEARCH_TOOLS`. Consider pinning schema versions or using cryptographic signatures to ensure that only trusted and verified tool definitions are loaded and executed. Regularly audit the external MCP service for security vulnerabilities and ensure secure communication channels.	LLM	SKILL.md:30
MEDIUM	Potential Injection via RUBE_MULTI_EXECUTE_TOOL arguments The `arguments` parameter for `RUBE_MULTI_EXECUTE_TOOL` is populated based on tool schemas. If these schemas allow for arbitrary string input that is then interpreted by the underlying Pdfless tools (e.g., as a command, script, or query), and if this input originates from untrusted sources, it could lead to injection attacks against the Pdfless tools. The risk depends on the specific schema and how the underlying tools process these arguments. Ensure that all arguments passed to `RUBE_MULTI_EXECUTE_TOOL` are strictly validated against the expected schema and sanitized, especially for fields that accept free-form text. The underlying Pdfless tools must also implement robust input validation and sandboxing to prevent arbitrary code execution or data manipulation.	LLM	SKILL.md:59

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e4c357f3d3ed7ba9.svg)](https://skillshield.io/report/e4c357f3d3ed7ba9)