composio

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly describes agents and Tool Router sessions that fetch and execute third‑party services (e.g., examples like GMAIL_FETCH_EMAILS / "Fetch my last email", Slack, GitHub, session.tools(), and connectedAccounts.link()/authorize() flows), meaning the agent will ingest user-generated / public content from external services during its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The MCP server URL (e.g. https://mcp.composio.dev/session/your_session_id referenced as session.mcp.url) is used at runtime to fetch tool definitions and headers for MCP clients, which directly control the agent's available tools and enable remote tool execution, so this external endpoint is a runtime dependency that can control prompts/execution.