connect-composio
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a high-risk vulnerability surface by combining external data ingestion with powerful write/execute capabilities.
- Ingestion points: Reads content from Gmail, Slack, GitHub issues, Notion pages, and 1000+ other apps (referenced in 'Supported Integrations' and 'Common Workflows').
- Boundary markers: None. The documentation does not specify the use of delimiters or instructions to ignore commands embedded in the external content.
- Capability inventory: Full write/execute access to repositories, email accounts, databases (PostgreSQL/MySQL), cloud storage (S3), and messaging platforms.
- Sanitization: None described. There is no evidence of content filtering or validation before processing external data.
- [Unverifiable Dependencies] (MEDIUM): The skill requires the installation of external packages from sources not explicitly on the trusted list.
- Evidence: Instructs installation of
composio(Python) and@composio/core(Node.js). While these are standard for the platform, they represent third-party code that will run with the agent's permissions. - [Privilege Awareness] (INFO): The skill documentation correctly identifies the need for OAuth-based scoped access, which is a security best practice, but the potential for abuse remains high due to the breadth of the allowed actions.
Recommendations
- AI detected serious security threats
Audit Metadata