composio-cli
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the use of
composio runto execute arbitrary JavaScript logic. This allows the agent to chain multiple tool calls, use conditional logic, and perform complex data processing within the user's local environment. This is a primary feature of the vendor's CLI tool but involves the execution of dynamic scripts. - [PROMPT_INJECTION]: The skill introduces an attack surface for indirect prompt injection by demonstrating how to fetch data from external sources (e.g., Gmail messages) and pass it directly into an LLM-powered sub-agent using
experimental_subAgent. - Ingestion points: Data is ingested via tool calls such as
GMAIL_FETCH_EMAILSas shown inSKILL.mdandreferences/power-user-examples.md. - Boundary markers: None are present; untrusted content is appended to the prompt string using the
.prompt()method without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill has broad capabilities including executing various authenticated tools (
execute), performing raw API requests (proxy), and discovering new tools (search). - Sanitization: The examples do not include sanitization or validation of external data before processing.
Audit Metadata