Security Audit
zoho_inventory-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
zoho_inventory-automation received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency in manifest, Excessive permissions requested for Rube MCP tools, Potential command injection via RUBE_REMOTE_WORKBENCH.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive permissions requested for Rube MCP tools The skill explicitly requires and describes the use of highly privileged Rube MCP tools: `RUBE_MANAGE_CONNECTIONS` and `RUBE_REMOTE_WORKBENCH`. `RUBE_MANAGE_CONNECTIONS` can handle sensitive authentication details for Zoho Inventory, including OAuth tokens. `RUBE_REMOTE_WORKBENCH` is described as executing code (e.g., `run_composio_tool()` with `ThreadPoolExecutor`), implying a powerful, potentially arbitrary code execution environment within a sandbox. While these tools are central to the skill's functionality, their broad capabilities present a significant attack surface if misused by a malicious prompt or if the underlying Rube MCP implementation has vulnerabilities. An attacker could potentially manipulate the LLM to use these tools for unauthorized access or actions. Ensure strict input validation and robust sandboxing for `RUBE_MANAGE_CONNECTIONS` and `RUBE_REMOTE_WORKBENCH` within the Rube MCP platform. Implement strong access controls, least privilege principles, and comprehensive auditing for these high-privilege operations. The skill itself should clearly document the security implications and best practices for using these tools. | LLM | SKILL.md:39 | |
| HIGH | Potential command injection via RUBE_REMOTE_WORKBENCH The skill's documentation describes using `RUBE_REMOTE_WORKBENCH` for 'bulk operations or data processing' by executing `run_composio_tool()` in a loop with `ThreadPoolExecutor`. This strongly implies that the workbench environment allows the execution of Python code. If an attacker can manipulate the arguments passed to `RUBE_REMOTE_WORKBENCH` (e.g., through a crafted prompt to the LLM agent) to inject arbitrary Python code or alter the execution flow within the `ThreadPoolExecutor` context, it could lead to command injection. This could allow unauthorized operations, data exfiltration, or resource manipulation within the workbench's scope. The Rube MCP platform must ensure that the `RUBE_REMOTE_WORKBENCH` strictly sanitizes all inputs and only allows execution of predefined, safe functions (`run_composio_tool`) with thoroughly validated arguments. Prevent any mechanism that allows arbitrary code injection into the `ThreadPoolExecutor` context. Implement a secure and isolated sandboxing mechanism for the workbench environment to mitigate the impact of any potential code execution. | LLM | SKILL.md:86 | |
| MEDIUM | Unpinned dependency in manifest The skill's manifest specifies a dependency on 'rube' without a version constraint. This can lead to supply chain risks if a new, incompatible, or malicious version of the dependency is released and automatically pulled, potentially introducing vulnerabilities or breaking changes. Pin the 'rube' dependency to a specific version or version range (e.g., 'rube==1.2.3' or 'rube>=1.0,<2.0') to ensure consistent and secure behavior across deployments. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/19535a8d18cc0c20)
Powered by SkillShield