Security Audit
activecampaign-automation
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
activecampaign-automation received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unversioned external MCP dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unversioned external MCP dependency The skill explicitly instructs the agent to connect to an external MCP (`rube`) served from `https://rube.app/mcp`. There is no version pinning or integrity checking mechanism specified for the MCP itself. A compromise of the `rube.app` domain or the `rube` MCP provider could lead to the agent loading malicious tools. These malicious tools could then be used to perform unauthorized actions within ActiveCampaign, potentially leading to data exfiltration, command injection (if the tools allow it), or other security breaches. Implement version pinning or cryptographic integrity checks for the Rube MCP to ensure that only trusted versions are loaded. Consider hosting a trusted version of the MCP internally or using a more secure mechanism for tool discovery and loading that includes validation of the tool provider. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/7c9004c5fb14f8f0)
Powered by SkillShield