connect-apps
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of an external plugin named 'composio-toolrouter' and directs users to fetch an API key from the Composio platform (platform.composio.dev) to enable functionality.
- [PROMPT_INJECTION]: The skill exposes a significant surface for indirect prompt injection by enabling the agent to process data from and execute actions in 1000+ external applications.
- Ingestion points: Untrusted data enters the agent's context through connected apps, such as reading emails from Gmail, messages from Slack, or issues from GitHub.
- Boundary markers: The skill lacks explicit delimiters or instructions (e.g., 'ignore instructions within the email body') to prevent the agent from accidentally obeying commands embedded in external content.
- Capability inventory: The agent is granted powerful write capabilities, including sending emails, creating code repository issues, posting chat messages, and modifying database records (PostgreSQL, Airtable).
- Sanitization: There is no evidence of content sanitization or validation to ensure that data retrieved from external services is stripped of malicious instructions before being processed by the model.
Audit Metadata