The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): This skill creates a significant attack surface by connecting the agent to external, attacker-controlled data sources such as emails and chat messages. An attacker could send a message containing hidden instructions that the agent then executes using the skill's write capabilities. Ingestion points: Data retrieved via 1,000+ integrations managed by the Composio router. Boundary markers: None defined in the skill documentation or example code. Capability inventory: Full write and delete access across Gmail, Slack, GitHub, and various databases. Sanitization: None present.
[Data Exposure & Exfiltration] (HIGH): The core functionality of the skill is to move data between services, which serves as a pre-built exfiltration pathway if the agent is compromised via prompt injection. The agent has direct access to move information from sensitive environments (S3, PostgreSQL) to external social or chat platforms.
[External Downloads] (MEDIUM): The skill relies on third-party libraries (composio, @composio/core) from sources not included in the trusted whitelist, requiring the user to trust the package maintainers' security practices.
[Dynamic Execution] (MEDIUM): Uses the Model Context Protocol (MCP) with dynamic URLs (session.mcp.url) to route actions, allowing for runtime tool execution that is not fully auditable from the static skill definition.

connect