basecamp-automation

[Skill Scanner] Skill instructions include directives to hide actions from user Functionally coherent and consistent with the stated purpose: the skill lists expected tools and parameters and describes legitimate Basecamp workflows. The main security concern is architectural: it requires routing OAuth and all Basecamp API calls through an external MCP (https://rube.app/mcp). That is not inherently malicious but increases the trust surface — if the MCP or its operator is untrusted or compromised it could misuse credentials or exfiltrate project data. No hardcoded secrets, no obfuscated code, and no direct indicators of malware in this SKILL.md. Recommendation: treat the MCP endpoint as high-sensitivity — verify the MCP provider's trustworthiness, audit where tokens are stored and for what retention, and prefer direct official API usage if you cannot trust the MCP operator. LLM verification: No explicit malicious code is present in the provided skill documentation. The main security concern is architectural: the skill requires routing OAuth and all toolkit calls through a third-party MCP (https://rube.app/mcp). That design centralizes credentials, API traffic, and data in an external operator's infrastructure and—combined with a flagged instruction to hide actions from users—creates a realistic risk of credential exposure, opaque operations, or data leakage. Recommendation: do not u