connect
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill's primary purpose is to ingest data from and interact with external applications (Gmail, Slack, GitHub, etc.), which inherently exposes the agent to malicious instructions embedded in third-party content.
- Ingestion points: Gmail, Slack, GitHub, Notion, and 1000+ other apps (SKILL.md).
- Boundary markers: None present in the provided documentation or implementation snippets.
- Capability inventory: The skill allows the agent to send emails, create GitHub issues, post to Slack, and update databases via the
client.queryand MCP integration (SKILL.md). - Sanitization: No evidence of sanitization or filtering of external data before processing by the LLM is provided.
- [External Downloads] (LOW): The skill requires the installation of external packages from untrusted (non-whitelisted) sources.
- Evidence: Instructions to run
pip install composioandnpm install @composio/core(SKILL.md). - [Data Exfiltration] (LOW): By design, the skill facilitates the transfer of data between the agent environment and over 1000 external services. While this is the primary functionality, it could be misused to exfiltrate sensitive local data if the agent is compromised by prompt injection.
- Evidence: Support for 1000+ integrations including S3, PostgreSQL, and Gmail (SKILL.md).
Audit Metadata