basecamp-automation

This skill is documentation for automating Basecamp through a third-party MCP (Rube). Functionally it matches its stated purpose (managing projects, to-dos, messages, people, and groups). The main security concern is not malicious code embedded here (no code present) but the operational data flow: the skill routes OAuth and API traffic through an external MCP (https://rube.app/mcp). That mediator will hold or proxy OAuth tokens and see all content and actions; combined with high-impact capabilities (creating users, granting/revoking access), this creates a medium-to-high supply-chain and credential-forwarding risk if the MCP is untrusted. If you control or fully trust the MCP operator and confirm how tokens are stored, scoped, and audited, the risk is reduced. Otherwise, prefer direct, official Basecamp OAuth flows or restrict the agent's permissions and require explicit user confirmation for high-impact operations.