Security Audit
smugmug-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
smugmug-automation received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unversioned external MCP dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unversioned external MCP dependency The skill explicitly instructs the user to add `https://rube.app/mcp` as an MCP server. This hardcoded, unversioned external dependency introduces a supply chain risk. If the `rube.app` domain were compromised or the service changed its behavior maliciously, it could serve harmful tool definitions or code, directly impacting the security and functionality of the skill without the user's explicit consent or knowledge of the change. If possible within the MCP system, pin the Rube MCP to a specific version, hash, or a more controlled endpoint. Implement robust integrity checks for tools retrieved from the MCP. If version pinning is not feasible, acknowledge and monitor the inherent risks associated with unversioned external dependencies. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/9b661a8ccde0b5c7)
Powered by SkillShield