connect-apps
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to install the
composio-toolrouterplugin. This is an external dependency that manages access to sensitive accounts and is not hosted on a pre-approved trusted source repository. - PROMPT_INJECTION (HIGH): The skill creates a massive surface for Indirect Prompt Injection. It ingests untrusted data from sources like Gmail, Slack, and GitHub and possesses high-privilege write capabilities (sending emails, creating issues, database access). An attacker sending a malicious email could potentially trigger the agent to execute instructions across other connected services.
- COMMAND_EXECUTION (MEDIUM): The setup process requires executing custom plugin commands (
/composio-toolrouter:setup) which perform configuration and credential handling for external services. - DATA_EXFILTRATION (MEDIUM): The core functionality involves moving data between various external platforms. Without strict boundary markers or sanitization mentioned, there is a risk of unintentional data exposure or unauthorized exfiltration if the agent is misled.
Recommendations
- AI detected serious security threats
Audit Metadata