composio-connect

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly routes natural-language requests to and executes actions against many public third‑party services (see SKILL.md "Supported Apps by Category" including social media, Notion, and "Scrape → Update CRM") and the runtime script (scripts/execute_action.py) calls client.execute_action and prints/saves the returned responses, meaning untrusted/user‑generated content from external apps/web scrapers is ingested and can influence subsequent tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a universal action executor that explicitly lists payment and finance platforms (Stripe, Square, QuickBooks, Xero, Shopify) and enumerates money-moving actions (e.g., "Stripe: Create invoice, check payment, refund", "Square: Create payment", "QuickBooks: Create invoice, record payment"). Those are specific payment/finance APIs and actions (payment creation, refunds, recording payments), not generic automation. Under the policy (flag when the tool's primary/explicit definition includes sending transactions/payments), this skill grants direct financial execution capability.