Security Audit
zoho_books-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
zoho_books-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external MCP dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external MCP dependency The skill declares a dependency on the 'rube' MCP in its manifest and instructs users to connect to `https://rube.app/mcp` without specifying a version or integrity check. This means the skill will always use the latest version served by the `rube.app` endpoint. If this endpoint is compromised or serves a malicious update, the skill would automatically incorporate potentially harmful functionality, leading to severe security risks such as data exfiltration, command injection, or credential harvesting without any mechanism for detection or rollback. Pin the 'rube' MCP dependency to a specific, immutable version, hash, or a trusted registry. Implement integrity checks for external dependencies to ensure their authenticity and prevent supply chain attacks. Update the documentation (SKILL.md) to reflect the pinned version and connection method. | Static | manifest.json:1 |
Scan History
Embed Code
[](https://skillshield.io/report/14dd93f666eae005)
Powered by SkillShield