connect

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly lists integrations with public, user-generated platforms (e.g., "GitHub", "Reddit", "Twitter" in Supported Apps) and includes an example workflow ("Find GitHub issues labeled 'bug' from this week, summarize, post to #bugs on Slack") showing the agent fetching and interpreting third-party user content and using that to drive actions, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill injects an external MCP endpoint into the agent at runtime via session.mcp.url (the Composio MCP endpoint returned by composio.create, associated with https://platform.composio.dev), which the agent uses to route tool calls and thereby lets that remote HTTP endpoint directly control agent prompts/actions — a required runtime dependency.