Security Audit

y-gy-automation

github.com/ComposioHQ/awesome-claude-skills

AI SkillCommit 27904475d127

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

y-gy-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 4 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency on Rube MCP, Broad access to external toolkit operations, Potential for command injection via RUBE_REMOTE_WORKBENCH.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

33%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
HIGH	Unpinned dependency on Rube MCP The skill's manifest specifies a dependency on the 'rube' MCP without any version pinning (`"mcp": ["rube"]`). This means the skill will always use the latest available version of the Rube MCP. A malicious or vulnerable update to the 'rube' MCP could automatically be incorporated, introducing security flaws or backdoors without explicit review, posing a significant supply chain risk. Pin the 'rube' MCP dependency to a specific, known-good version or version range to prevent automatic updates from potentially malicious or vulnerable versions.	LLM	SKILL.md:1
HIGH	Broad access to external toolkit operations The skill exposes `RUBE_MULTI_EXECUTE_TOOL` and `RUBE_REMOTE_WORKBENCH` which allow the LLM to execute any tool available within the `y_gy` toolkit. This grants broad, undifferentiated access to all operations provided by `y_gy` via the Rube MCP. If the `y_gy` toolkit contains sensitive or administrative functions, this skill effectively exposes these excessive permissions to the LLM, and by extension, to the user interacting with the LLM. The `RUBE_REMOTE_WORKBENCH` in particular suggests a powerful, potentially unconstrained execution environment. Implement fine-grained access control for the `y_gy` toolkit, exposing only the minimum necessary tools and operations required for the skill's intended functionality. Avoid exposing generic execution tools like `RUBE_MULTI_EXECUTE_TOOL` or `RUBE_REMOTE_WORKBENCH` without strict validation of tool slugs and arguments.	LLM	SKILL.md:48
HIGH	Potential for command injection via RUBE_REMOTE_WORKBENCH The skill instructs the LLM to use `RUBE_REMOTE_WORKBENCH` for 'Bulk ops' with `run_composio_tool()`. A 'remote workbench' often implies an environment capable of executing arbitrary code or shell commands. If `run_composio_tool()` can be manipulated to execute untrusted commands or scripts, it could lead to command injection, allowing an attacker to execute arbitrary code on the remote system or the host environment if the workbench is local. Ensure that `RUBE_REMOTE_WORKBENCH` and `run_composio_tool()` strictly validate and sanitize all inputs, and operate within a highly sandboxed environment that prevents arbitrary code execution or access to sensitive system resources. Ideally, avoid exposing such a powerful, generic execution primitive.	LLM	SKILL.md:70
HIGH	Potential for data exfiltration via RUBE_REMOTE_WORKBENCH The `RUBE_REMOTE_WORKBENCH` tool, used with `run_composio_tool()`, could potentially be leveraged for data exfiltration. If the underlying `y_gy` tools or the workbench environment allow reading local files, environment variables, or other sensitive data, and then transmitting this data to an external, attacker-controlled service (e.g., via network requests made by a `y_gy` tool), it could lead to unauthorized data disclosure. Implement strict network egress filtering and data access controls within the `RUBE_REMOTE_WORKBENCH` environment. Ensure that `y_gy` tools cannot read sensitive local data or make unauthorized outbound network connections.	LLM	SKILL.md:70
MEDIUM	Potential for credential harvesting through tool execution The skill uses `RUBE_MANAGE_CONNECTIONS` to handle authentication for the `y_gy` toolkit. Subsequently, `RUBE_MULTI_EXECUTE_TOOL` and `RUBE_REMOTE_WORKBENCH` allow the execution of arbitrary `y_gy` tools. If a malicious `y_gy` tool were to be executed, it could potentially intercept or capture authentication tokens, API keys, or other sensitive connection details managed by `RUBE_MANAGE_CONNECTIONS` or used by other `y_gy` tools, leading to credential harvesting. Ensure that `RUBE_MANAGE_CONNECTIONS` securely isolates credentials and that `y_gy` tools executed via `RUBE_MULTI_EXECUTE_TOOL` or `RUBE_REMOTE_WORKBENCH` operate with the principle of least privilege, preventing access to sensitive authentication material unless explicitly required and authorized. Implement robust auditing and monitoring for credential access.	LLM	SKILL.md:28

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/41211f69612f1510.svg)](https://skillshield.io/report/41211f69612f1510)