connect-apps
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of the
composio-toolrouterplugin. This is a third-party dependency from a source not included in the trusted list, making its runtime behavior unverifiable during this audit. - PROMPT_INJECTION (LOW): The skill creates a broad surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Processes data from 1000+ external apps including Gmail, Slack, and GitHub.
- Boundary markers: There are no boundary markers or instructions to help the agent distinguish between user data and potentially malicious embedded instructions in external content.
- Capability inventory: The skill provides extensive 'write' capabilities, such as sending emails and posting to Slack, which could be abused if the agent obeys instructions found within retrieved data.
- Sanitization: No sanitization or validation of the data retrieved from external services is defined.
- COMMAND_EXECUTION (LOW): The setup instructions involve running custom commands like
/plugin installand/composio-toolrouter:setup, which modify the agent's operating environment.
Audit Metadata