Security Audit

composio

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

composio received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary Code Execution via Remote Workbench, Arbitrary Command Execution via Remote Bash Tool.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

5 findings

Dynamic Code

3 findings

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Arbitrary Code Execution via Remote Workbench The skill exposes `COMPOSIO_REMOTE_WORKBENCH`, which allows the execution of arbitrary Python code within a persistent remote Jupyter sandbox. If an AI agent constructs the `code_to_execute` parameter from untrusted user input without rigorous sanitization, it can lead to critical command injection, allowing an attacker to execute malicious Python code in the sandbox environment. Implement strict input validation and sanitization for any user-provided input that might be used to construct the `code_to_execute` parameter. Consider requiring explicit user confirmation for executing code generated from untrusted sources. Ensure the sandbox environment operates with the principle of least privilege.	LLM	skill.md:297
CRITICAL	Arbitrary Command Execution via Remote Bash Tool The skill exposes `COMPOSIO_REMOTE_BASH_TOOL`, which allows the execution of arbitrary Bash commands within the same persistent sandbox environment as the workbench. If an AI agent constructs the `command` parameter from untrusted user input without rigorous sanitization, it can lead to critical command injection, allowing an attacker to execute malicious shell commands. Implement strict input validation and sanitization for any user-provided input that might be used to construct the `command` parameter. Consider requiring explicit user confirmation for executing commands generated from untrusted sources. Ensure the sandbox environment operates with the principle of least privilege.	LLM	skill.md:387
HIGH	Data Exfiltration via Remote Workbench and Bash Tools The `COMPOSIO_REMOTE_WORKBENCH` and `COMPOSIO_REMOTE_BASH_TOOL` capabilities, which allow arbitrary code/command execution, can be leveraged for data exfiltration. An attacker who successfully injects code could read files from the sandbox filesystem (e.g., `/tmp/` files, or potentially environment variables) and exfiltrate them using network requests (e.g., `curl` in Bash, `requests` in Python) or the provided `upload_local_file` helper function. Restrict network egress from the sandbox environment to only necessary endpoints. Implement robust logging and monitoring of file access and network activity within the sandbox. Ensure sensitive data is not stored or accessible within the sandbox environment. Review and limit the scope of `upload_local_file` if possible.	LLM	skill.md:312
HIGH	Credential Harvesting via Arbitrary Code Execution The skill requires an `x-api-key` (`COMPOSIO_API_KEY`) for authentication. If an attacker achieves arbitrary code execution via `COMPOSIO_REMOTE_WORKBENCH` or `COMPOSIO_REMOTE_BASH_TOOL`, they could potentially access and exfiltrate this API key or other credentials if they are exposed as environment variables or accessible within the sandbox environment. Ensure that API keys and other sensitive credentials are not directly exposed within the sandbox environment where arbitrary code can be executed. If they must be accessible, implement mechanisms to prevent their exfiltration (e.g., network egress restrictions, credential rotation, short-lived tokens). Monitor access to credential storage.	LLM	skill.md:20
HIGH	Excessive Permissions via Direct API Proxy The `proxy_execute` helper function, available within `COMPOSIO_REMOTE_WORKBENCH`, allows direct API calls to connected toolkits with arbitrary methods, endpoints, query parameters, and bodies. This grants very broad and unstructured access to underlying APIs, potentially bypassing Composio's tool-specific abstractions. If an attacker gains control of the `code_to_execute` parameter, they could exploit this to perform unauthorized actions on connected applications. Agents should be designed to use `proxy_execute` only when absolutely necessary and with extreme caution. Implement strict validation and allow-listing for the `method`, `endpoint`, and `toolkit` parameters if they are derived from untrusted input. Consider limiting the scope of what `proxy_execute` can access or requiring explicit user consent for such direct API interactions.	LLM	skill.md:310
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/wjayesh/composio/skill.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f870d8bda9fc0b88.svg)](https://skillshield.io/report/f870d8bda9fc0b88)