connect
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation includes instructions to install several external packages from public registries (PyPI and NPM), including
composio,claude-agent-sdk,openai-agents, and@composio/core. These are official libraries for the Composio service and are standard for this type of integration. - [PROMPT_INJECTION]: The skill is designed to ingest data from untrusted external sources such as emails, chat messages, and issue trackers, creating a potential surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context from connected services (Gmail, Slack, GitHub, etc.) as noted in
SKILL.md. - Boundary markers: The provided code examples and instructions do not specify the use of delimiters or boundary markers for ingested content.
- Capability inventory: The skill provides extensive capabilities to take actions (send emails, create issues, update databases) across a wide range of categories (Email, Chat, Dev, CRM, etc.).
- Sanitization: There is no mention of sanitization or validation of content fetched from external tools before it is processed by the agent.
- [DATA_EXFILTRATION]: While the skill is intended to transmit data to external services, it correctly instructs users to manage sensitive credentials using environment variables (
COMPOSIO_API_KEY) and relies on OAuth for service-specific authorizations, which limits unauthorized data exposure.
Audit Metadata