composio
Warn
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to generate and run local Python scripts to handle complex multi-step workflows, such as browser session management with Playwright and chunked media uploads for Twitter. This creates a surface for dynamic code execution based on the provided templates.\n- [COMMAND_EXECUTION]: The skill provides numerous examples for using
curlto interact with the internal gateway API (http://composio-gateway.flycast) and external endpoints.\n- [EXTERNAL_DOWNLOADS]: Operational flows depend on several external Python libraries, specificallycomposio_client,playwright,httpx, andrequests.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to external service domains includingcomposio-gateway.fly.devandconnect.browserbase.com.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of ingesting untrusted data from external APIs like Gmail and GitHub.\n - Ingestion points: Untrusted data enters the agent context through tools like
GMAIL_FETCH_EMAILS,GITHUB_GET_REPOSITORY_CONTENT, andGOOGLEDOCS_GET_DOCUMENT_PLAINTEXTas described in SKILL.md.\n - Boundary markers: The instructions lack explicit delimitation or 'ignore instructions' warnings when processing retrieved external content.\n
- Capability inventory: The skill allows the agent to execute shell commands via
curland run generated Python scripts, which could be exploited by malicious data.\n - Sanitization: There is no documentation or instruction for sanitizing or validating external content before the agent processes it.
Audit Metadata