connect-apps
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill mandates the installation of an external plugin via
/plugin install composio-toolrouter. The source and the plugin logic are not from a trusted organization as defined in the security policy, introducing potential for arbitrary code execution within the agent environment. - DATA_EXFILTRATION (HIGH): By design, this skill moves user data (emails, GitHub content, Slack messages) to a third-party platform (Composio). While this is the stated purpose, it creates a large-scale data exposure surface to a non-whitelisted external domain.
- COMMAND_EXECUTION (MEDIUM): The setup process involves running
/composio-toolrouter:setup, which executes configuration logic on the agent's system that is dependent on external service state and provided API keys. - INDIRECT_PROMPT_INJECTION (LOW): The skill's primary function is to ingest data from untrusted external sources (like incoming emails or chat messages). This exposes the agent to indirect prompt injection attacks where malicious content in those sources could trigger unauthorized actions.
- Ingestion points: Gmail, Slack, GitHub, Notion, and 1000+ other integrated apps.
- Boundary markers: None specified; instructions do not include delimiters or warnings to ignore embedded commands in processed data.
- Capability inventory: High-privilege actions including sending emails, posting messages, and modifying database records.
- Sanitization: None detected in the skill definition.
Recommendations
- AI detected serious security threats
Audit Metadata