close-automation

The provided skill is a legitimate orchestration descriptor for automating Close CRM through a third-party Rube MCP gateway. It does not contain executable malware or obfuscated payloads. The main security risk is that all authentication and API traffic is brokered through an external MCP (https://rube.app/mcp) with insufficient documentation about token handling, scope, retention, and operator trust. This creates a moderate supply-chain risk: if the MCP or its stored tokens are compromised, an attacker could perform high-impact CRUD operations on Close CRM data. Recommendations: only use a trusted (ideally audited or self-hosted) MCP operator; require transparency about token storage and scopes; prefer least-privilege tokens and short lifetimes; log and audit MCP activity; and consider direct API integrations where possible.