Trust Assessment
composio-integration received a trust score of 14/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 0 high, 4 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 29/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/rita5fr/composio-integration/SKILL.md:8 | |
| CRITICAL | Hardcoded API Key in Skill Description The Composio API key is explicitly hardcoded and displayed in the SKILL.md file. This constitutes a severe credential leak, as any entity with access to this skill description gains full access to the API key. This key is used for authentication in various scripts and grants access to connected Gmail and Google Tasks accounts. Remove the hardcoded API key from SKILL.md. Instruct users to provide the API key securely, for example, via environment variables or a secure secrets management system, and ensure it is never committed to version control or publicly exposed. | LLM | SKILL.md:13 | |
| CRITICAL | Command Injection via Unsanitized Arguments in Shell Script The `scripts/composio-action.sh` script directly interpolates user-supplied arguments (`$ACTION` and `$PARAMS`) into a `curl` command without proper sanitization. An attacker could craft malicious input for `$ACTION` or `$PARAMS` to execute arbitrary shell commands on the host system, leading to remote code execution, data exfiltration, or system compromise. Sanitize all user-supplied arguments before interpolating them into shell commands. For JSON parameters, ensure they are properly escaped or passed as files. For URL paths, validate against an allow-list or use URL encoding functions. Consider using a safer method for making HTTP requests from shell scripts, or rewrite the script in a language like Node.js where argument handling is more robust. | LLM | scripts/composio-action.sh:24 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/rita5fr/composio-integration/SKILL.md:1 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/rita5fr/composio-integration/SKILL.md:8 | |
| MEDIUM | Unpinned npm dependency version Dependency '@composio/client' is not pinned to an exact version ('^0.1.0-alpha.55'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/rita5fr/composio-integration/package.json | |
| MEDIUM | Disclosure of Personally Identifiable Information (PII) The SKILL.md file explicitly lists an email address (`sonukumar5fr@gmail.com`) associated with connected accounts (Gmail and Google Tasks). While this might be for demonstration, exposing PII in a public skill description can lead to privacy violations or be used for targeted attacks. Replace actual PII with placeholder or redacted information (e.g., `user@example.com`) in public-facing documentation. Ensure that no real user data is ever hardcoded or publicly exposed in skill descriptions or examples. | LLM | SKILL.md:20 | |
| LOW | Unpinned Pre-release Dependency The `package.json` file specifies `@composio/client` with a caret (`^`) range for a pre-release version (`^0.1.0-alpha.55`). This means future installations could pull in newer alpha versions that might introduce breaking changes, security vulnerabilities, or unexpected behavior without explicit review. Pre-release versions are inherently less stable and more prone to issues. Pin the dependency to an exact version (e.g., `"0.1.0-alpha.55"`) to ensure deterministic builds and prevent unexpected updates. For production-ready skills, prefer stable, non-pre-release versions of dependencies. | LLM | package.json:3 | |
| LOW | Potential URL Manipulation via Unsanitized Tool Slug In `scripts/execute-tool.mjs`, the `tool_slug` argument is directly interpolated into the URL path for the `fetch` request. While Node.js's `fetch` typically handles URL encoding for path segments, a maliciously crafted `tool_slug` containing special URL characters (e.g., `?`, `#`, `/../`) could potentially lead to unintended API calls, path traversal attempts, or data leakage if the backend API is not robustly validating the slug. Implement explicit validation for `tool_slug` to ensure it conforms to expected patterns (e.g., alphanumeric, hyphens, underscores) before it is used in the URL. Alternatively, use a URL construction utility that strictly encodes path components. | LLM | scripts/execute-tool.mjs:6 |
Scan History
Embed Code
[](https://skillshield.io/report/53d0b28ae2a8e5b1)
Powered by SkillShield