Back to skill
Skillv0.1.0
ClawScan security
Box Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:08 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions align with automating Box via a third‑party MCP (Rube/Composio), but it asks you to add an external MCP endpoint and to complete OAuth via that service — a sensitive action with unclear provenance that you should not do without verification.
- Guidance
- Before installing or using this skill: 1) Verify the Rube/Composio endpoint (https://rube.app/mcp) and the organization behind it — the package has no homepage or clear publisher. 2) Understand that completing RUBE_MANAGE_CONNECTIONS/OAuth will delegate Box access to the third party (they will likely hold access tokens and be able to act on your Box account). Ask what scopes are requested, where tokens are stored, retention policies, and revoke options. 3) Confirm whether uploads actually require any S3 keys or other external credentials (the doc's 's3key' parameter could indicate additional requirements). 4) If you cannot verify the MCP provider, prefer using an official Box integration or a connector you control. 5) If you want a deeper audit, request sample tool schemas returned by RUBE_SEARCH_TOOLS and the exact OAuth flow (redirect domains, scopes, and token storage) — that information would change this assessment to 'benign' if it shows trustworthy provenance and appropriate scoping.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: the SKILL.md consistently describes Box operations (upload/download, search, folder management, sharing, metadata) performed via Rube MCP tool calls (e.g., BOX_SEARCH_FOR_CONTENT). There are no unrelated environment variables, binaries, or install steps requested that would be incoherent with a Box automation skill.
- Instruction Scope
- concernThe runtime instructions require adding an external MCP endpoint (https://rube.app/mcp) to your client config and completing Box OAuth through Rube's connection manager (RUBE_MANAGE_CONNECTIONS). That means Box access tokens and operations will flow through the third‑party MCP. The SKILL.md does not instruct reading arbitrary local files or other system credentials, but it does reference 'file' objects containing an 's3key' (suggesting upstream S3 references) which could require additional credentials or data flows not explained in the doc.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This minimizes direct install risk. The primary risk arises from following the SKILL.md instructions (adding an external MCP endpoint and granting OAuth access).
- Credentials
- concernThe skill declares no required environment variables or primary credential, but it depends on Rube-managed connections (RUBE_MANAGE_CONNECTIONS). That design moves credential management off the local environment into Rube/Composio. This is coherent with the stated architecture, but it is a sensitive delegation: granting OAuth via an external MCP gives that service access to your Box data and tokens. The SKILL.md does not justify where tokens are stored, who controls the MCP, or what scopes are requested.
- Persistence & Privilege
- noteThe skill does not request always:true and is user-invocable only. The only persistent client-side change it recommends is adding an MCP server endpoint to your client configuration — a normal step for using an external connector, but one that has security implications because it delegates future operations and credentials to that endpoint.