Skills
skills/prashaantr/teach-claude-something-new/composio-outlook/Gen Agent Trust Hub

composio-outlook

Pass

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection from retrieved email data.
  • Ingestion points: Untrusted data enters the agent context through the OUTLOOK_LIST_MESSAGES, OUTLOOK_GET_MESSAGE, and OUTLOOK_SEARCH_MESSAGES actions.
  • Boundary markers: The skill does not provide delimiters or specific instructions to the agent to ignore or isolate instructions embedded in the email content.
  • Capability inventory: The agent possesses capabilities to execute shell commands (via curl) and perform write operations like sending emails.
  • Sanitization: No sanitization, filtering, or validation is performed on the email bodies before they are processed by the agent.
  • [COMMAND_EXECUTION]: The skill constructs curl commands using shell interpolation for environment variables such as COMPOSIO_USER_ID, CONNECTION_ID, and AGENT_NAME. This is an insecure coding practice that could lead to command injection if these variables were to contain malicious characters.
  • [DATA_EXFILTRATION]: The skill performs network operations to backend.composio.dev. While this domain is not on the explicit whitelist, it is the intended service endpoint for the skill's functionality and no sensitive local file access was observed.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 3, 2026, 12:47 AM