Security Audit
pushover-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
pushover-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via RUBE_REMOTE_WORKBENCH and run_composio_tool(), Broad Tool Execution Scope via Rube MCP, Unpinned Dependency on Rube MCP.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via RUBE_REMOTE_WORKBENCH and run_composio_tool() The skill documentation mentions `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` for 'Bulk ops'. If `run_composio_tool()` allows execution of arbitrary code or shell commands, or if it can be manipulated to execute unintended Composio tools with untrusted input, it presents a critical command injection vulnerability. This could allow an attacker to execute arbitrary commands on the host system or within the Composio environment. Review the implementation of `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()` to ensure they are properly sandboxed and do not allow arbitrary code execution or command injection. Restrict the scope of `run_composio_tool()` to only explicitly allowed and safe operations. If possible, avoid exposing such a powerful primitive to an LLM. | LLM | SKILL.md:72 | |
| HIGH | Broad Tool Execution Scope via Rube MCP The skill leverages Rube MCP for tool discovery (`RUBE_SEARCH_TOOLS`) and execution (`RUBE_MULTI_EXECUTE_TOOL`). While the examples guide the LLM to search for 'Pushover operations', the underlying mechanism allows the LLM to potentially discover and execute any tool available through the Rube MCP, not just those related to Pushover. This grants the skill (and by extension, the LLM using it) a broader set of permissions than necessary for its stated purpose of 'Pushover automation', increasing the attack surface. Implement stricter controls within the Rube MCP or the LLM's prompt to limit tool discovery and execution to only the `pushover` toolkit or explicitly approved tools. Consider using a more narrowly scoped tool execution mechanism if available, or ensure the LLM's system prompt strongly enforces the scope. | LLM | SKILL.md:44 | |
| MEDIUM | Unpinned Dependency on Rube MCP The skill's manifest specifies a dependency on the `rube` MCP (`"mcp": ["rube"]`) without a version constraint. This 'unpinned' dependency means that the skill could automatically use any version of the `rube` MCP, including future versions that might introduce breaking changes, security vulnerabilities, or even malicious functionality. This lack of version pinning makes the skill susceptible to supply chain attacks or unexpected behavior changes. Pin the `rube` MCP dependency to a specific, known-good version (e.g., `"mcp": ["rube@1.2.3"]`) or at least a major/minor version range (e.g., `"mcp": ["rube@^1.0.0"]`) to ensure stability and reduce the risk of unexpected changes. Regularly review and update the pinned version. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/cdc0d08d3400e953)
Powered by SkillShield