connect-apps

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The setup explicitly asks the agent to collect a user's API key (a secret) which could be pasted into the chat and then included verbatim in subsequent commands or requests, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The skill is a plugin/tool-router for executing actions via Composio-connected apps (e.g., Gmail/Slack/GitHub), and at runtime it will ingest tool results and/or message bodies from those external systems into the agent context; if any of that content is authored by non-operating users (e.g., Slack messages, email threads, issue comments), it becomes outsider free text via the tool execution/return path.