Security Audit

connect

github.com/ComposioHQ/awesome-codex-skills

AI SkillCommit ccf6204f6a59

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

connect received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned Python and Node.js Dependencies, Unpinned Python Dependencies in Framework Support.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 16, 2026 (commit ccf6204f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

100%

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Unpinned Python and Node.js Dependencies The skill's setup instructions recommend installing Python and Node.js packages without specifying exact versions. This can lead to supply chain vulnerabilities if a malicious update is pushed to the 'composio', '@composio/core', 'openai-agents', or 'composio-langchain' packages. It also introduces instability due to potential breaking changes in future versions. Pin all dependencies to specific versions (e.g., `pip install composio==X.Y.Z`, `npm install @composio/core@X.Y.Z`). Regularly review and update these pinned versions to incorporate security patches and new features in a controlled manner.	Static	SKILL.md:56
MEDIUM	Unpinned Python Dependencies in Framework Support The framework support section recommends installing Python packages without specifying exact versions. This can lead to supply chain vulnerabilities if a malicious update is pushed to the 'composio-langchain' or 'openai-agents' packages. It also introduces instability due to potential breaking changes in future versions. Pin all dependencies to specific versions (e.g., `pip install composio-langchain==X.Y.Z`). Regularly review and update these pinned versions to incorporate security patches and new features in a controlled manner.	Static	SKILL.md:100

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/90f2fd925d0c2063.svg)](https://skillshield.io/report/90f2fd925d0c2063)