webflow-automation

[Skill Scanner] Skill instructions include directives to hide actions from user This skill appears functionally coherent for automating Webflow via a managed MCP (Rube/Composio). There is no direct evidence of obfuscated or intentionally malicious code in the provided documentation. The main supply-chain/security concern is that the skill routes authentication and all API traffic through a third-party MCP (https://rube.app/mcp). That centralization means users must trust the MCP to correctly and securely store OAuth tokens and to not intercept or misuse site content, assets, or credentials. Additionally, destructive actions (delete, publish) and raw binary uploads raise operational risk and require explicit confirmation safeguards. If you trust Rube/Composio and understand where tokens and data are stored, the skill is reasonable; if you require direct control of credentials and API calls, avoid using an MCP proxy. LLM verification: The fragment presents a coherent, purpose-aligned automation skill for Webflow via a centralized MCP. The primary concerns are trust in the external MCP (rube.app), the OAuth workflow’s scope, and the potential for reduced user transparency due to a documented directive to hide actions. With explicit user confirmation before publishing or credential access, and proper scoping of OAuth permissions, the risk remains moderate but acceptable for a controlled automation use-case.