Composio Connect
Fail
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes an installation script directly from the vendor's official domain (https://composio.dev/install) using a piped-to-shell pattern.
- [COMMAND_EXECUTION]: Relies on the execution of the
composioCLI tool and various shell utilities (jq, grep, awk, sed) for data manipulation and system interaction. - [DATA_EXFILTRATION]: Accesses and processes data from external applications like Slack, GitHub, and Gmail. While it includes warnings against hardcoding credentials, the skill involves handling potentially sensitive project and user metadata.
- [PROMPT_INJECTION]: Presents a surface for indirect prompt injection as it processes untrusted data from over 1000 external applications and has the capability to execute commands based on that data.
- Ingestion points: Data retrieved from external apps via the
composio tools executecommand (SKILL.md). - Boundary markers: Absent for external tool outputs.
- Capability inventory: CLI execution (
composio), and instructions to offload work to inline bash or python scripts (SKILL.md). - Sanitization: Suggests parsing JSON with
jqbut lacks explicit sanitization of text content from external sources.
Recommendations
- HIGH: Downloads and executes remote code from: https://composio.dev/install - DO NOT USE without thorough review
Audit Metadata