composio-cli

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill facilitates the processing of data from external sources, such as fetching emails via 'GMAIL_FETCH_EMAILS', and interpolating this untrusted content into subsequent prompts via the 'experimental_subAgent' helper function.
  • Ingestion points: Data retrieved from Gmail or GitHub tool executions in 'references/power-user-examples.md'.
  • Boundary markers: None explicitly defined in the examples to isolate external content from instructions.
  • Capability inventory: Includes 'execute', 'proxy', and 'run' (arbitrary code execution) across 'SKILL.md' and its references.
  • Sanitization: No sanitization or escaping of external content is shown before interpolation into the sub-agent prompt.
  • [COMMAND_EXECUTION]: The 'composio run' and 'composio proxy' commands allow the agent to execute arbitrary JavaScript/TypeScript code and perform raw network requests. While these are core features of the Composio CLI for legitimate automation, they provide a high-privilege execution environment that could be exploited if the agent is influenced by malicious instructions embedded in processed data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 07:37 AM
Security Audit — agent-trust-hub — composio-cli