composio
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves and processes data from over 1000 external SaaS platforms (such as Gmail, Slack, and GitHub) which can contain malicious instructions embedded by third parties.
- Ingestion points: Data is ingested through tools like GMAIL_FETCH_EMAILS and SLACK_READ_MESSAGES referenced in SKILL.md workflows.
- Boundary markers: There are no instructions providing delimiters or warnings to ignore embedded instructions in retrieved data.
- Capability inventory: The skill allows the agent to execute actions across many platforms via the /internal/execute endpoint.
- Sanitization: No sanitization or validation of external content is described.- [COMMAND_EXECUTION]: The instructions provide multiple curl commands for the agent to execute. These commands interact with an internal gateway (composio-gateway.flycast) to manage connections and execute tools.- [SAFE]: The automated security alerts regarding Remote Code Execution are false positives. The commands identified in the skill (e.g., curl ... | python3 -m json.tool) use the Python JSON tool module to format output for readability; they do not execute the downloaded content as code.
Recommendations
- HIGH: Downloads and executes remote code from: http://composio-gateway.flycast/api/toolkits?limit=200, http://composio-gateway.flycast/internal/connections, http://composio-gateway.flycast/api/connections/{connection_id} - DO NOT USE without thorough review
Audit Metadata