Security Audit
spotlightr-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
spotlightr-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill promotes use of highly privileged Rube MCP tools.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill promotes use of highly privileged Rube MCP tools The skill's documentation instructs the LLM to use Rube MCP tools such as `RUBE_MULTI_EXECUTE_TOOL` and `RUBE_REMOTE_WORKBENCH`. These tools grant broad capabilities to the agent. Specifically, `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` allows the execution of arbitrary Composio tools, which could extend beyond the intended Spotlightr automation. If the LLM is compromised via prompt injection or other means, it could leverage these powerful tools to perform unauthorized actions across various integrated services. Implement strict input validation and authorization checks within the Rube MCP system for `tool_slug` and `arguments` to ensure only intended operations are performed. For the skill itself, consider if the `RUBE_REMOTE_WORKBENCH` functionality is strictly necessary or if a more scoped tool could be used. Ensure the LLM's prompts are robust against injection to prevent misuse of these powerful tools. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/444e310f3ccdef32)
Powered by SkillShield