composio-connect

[Skill Scanner] Natural language instruction to download and install from URL detected This skill is functionally a legitimate universal connector: it centralizes OAuth and action execution through the Composio platform. There is no direct evidence of malware or obfuscated malicious code in this documentation fragment. However, the design routes API keys, OAuth tokens, and all action payloads through a third‑party managed gateway (Composio). That pattern is high impact: a compromised platform, SDK, or leaked COMPOSIO_API_KEY could allow broad access to many services. Documentation contradictions about data storage and the lack of pinned SDK versions or transparency about token handling increase risk. Recommend treating this as a high‑impact third‑party trust decision: audit the composio-core SDK and the platform, require least privilege, pin package versions, and prefer direct integrations or audited connectors for sensitive services. LLM verification: The provided fragment is documentation for a fallback connector that relies on an external orchestration platform (Composio). The file contains no direct malicious code or obfuscation. Primary risks are: (1) supply-chain risk from installing an unpinned third‑party package (pip install composio-core), and (2) architectural risk from centralizing API keys and OAuth tokens in a third‑party service. I recommend: verify vendor identity and reputation, review and pin SDK package versions (and prefer