Security Audit
realphonevalidation-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
realphonevalidation-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unversioned External MCP Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unversioned External MCP Dependency The skill relies on an external, unversioned Managed Control Plane (MCP) server at `https://rube.app/mcp`. The manifest explicitly lists `rube` as a required MCP. There is no mechanism to pin the version of the Rube MCP or its provided tool schemas, nor to verify its integrity. A compromise or malicious change to the `rube.app` service could lead to the agent executing arbitrary or malicious operations through dynamically discovered tools, posing a significant supply chain risk. The skill's functionality is entirely dependent on the trustworthiness and continued security of this external service. Implement version pinning or integrity checks for external MCPs. If direct version pinning is not possible, consider sandboxing the execution environment or implementing strict allow-listing for tool schemas and operations. Regularly audit the external service provider for security best practices and ensure the MCP endpoint is secured against tampering. | Static | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7c7af6f4a53c9e53)
Powered by SkillShield