composio-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to connect to and fetch/execute actions against 1000+ external apps (e.g., "GitHub, Slack, Notion, Gmail" and examples like "fetch Gmail emails" and "Include inline references/links (e.g., Slack thread links, GitHub PR URLs) in results"), so the agent will ingest and act on user-generated/untrusted third-party content that can influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill depends at runtime on the Composio MCP endpoint (connect.composio.dev/mcp), which exposes COMPOSIO_REMOTE_BASH_TOOL and COMPOSIO_REMOTE_WORKBENCH that execute shell/Python code in a remote sandbox, so external content can cause remote code execution.