composio-cli
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the processing of data from external sources, such as fetching emails via 'GMAIL_FETCH_EMAILS', and interpolating this untrusted content into subsequent prompts via the 'experimental_subAgent' helper function.
- Ingestion points: Data retrieved from Gmail or GitHub tool executions in 'references/power-user-examples.md'.
- Boundary markers: None explicitly defined in the examples to isolate external content from instructions.
- Capability inventory: Includes 'execute', 'proxy', and 'run' (arbitrary code execution) across 'SKILL.md' and its references.
- Sanitization: No sanitization or escaping of external content is shown before interpolation into the sub-agent prompt.
- [COMMAND_EXECUTION]: The 'composio run' and 'composio proxy' commands allow the agent to execute arbitrary JavaScript/TypeScript code and perform raw network requests. While these are core features of the Composio CLI for legitimate automation, they provide a high-privilege execution environment that could be exploited if the agent is influenced by malicious instructions embedded in processed data.
Audit Metadata