Skills
skills/bselee/murp/connect/Gen Agent Trust Hub

connect

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is explicitly designed to read and process data from over 1000 external applications (e.g., GitHub issues, Slack messages, emails) which are inherently untrusted sources.
  • Ingestion points: Data enters the agent context via integrations with services like Gmail, Slack, and GitHub (referenced in 'Supported Apps' and 'Examples' sections).
  • Boundary markers: None detected. The skill instructions do not provide delimiters or warnings to ignore instructions embedded within the data retrieved from these apps.
  • Capability inventory: The skill has extensive high-privilege capabilities including sending emails, creating GitHub issues, posting to Slack, and updating databases (mapped to 'allowed-tools: Bash, Read, Write, Edit').
  • Sanitization: No evidence of sanitization or validation of external content before it is processed by the agent.
  • Risk: An attacker could send an email or post a Slack message containing hidden instructions that the agent would then execute, such as 'Delete all files' or 'Exfiltrate database content'.
  • External Downloads (LOW): The skill requires installing several external packages.
  • Evidence: pip install composio, npm install @composio/core, pip install claude-agent-sdk, pip install composio-langchain.
  • Status: These are recognized packages, and under [TRUST-SCOPE-RULE], these findings are downgraded to LOW, but they remain necessary for the skill's functionality.
  • Command Execution (MEDIUM): The skill documentation encourages the use of export for setting environment variables and pip/npm for installation.
  • Evidence: export COMPOSIO_API_KEY="your-key", pip install composio.
  • Risk: While these are setup instructions, they involve shell execution that could be exploited if modified in a malicious version of the skill.
  • Data Exfiltration (LOW): The skill's primary function is to send data to external APIs.
  • Evidence: Network operations are performed via the Composio Tool Router to various third-party domains (Gmail, Slack, etc.).
  • Status: While this is the intended purpose, it facilitates the movement of data out of the local environment to third-party services.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 12:37 AM