Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
composio cli
v1.0.0Use 1000+ external apps via Composio - either directly through the CLI or by building AI agents and apps with the SDK
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Composio CLI & SDK to access many external apps) aligns with the instructions to use composio search/execute, login, and SDK examples. However, the skill metadata declares no required environment variables or credentials while multiple example files show using a COMPOSIO_API_KEY (process.env.COMPOSIO_API_KEY) and SDK initialization — this is an incoherence (the skill will realistically need an API key for SDK usage).
Instruction Scope
SKILL.md instructs running networked commands (curl -fsSL https://composio.dev/install | bash) that fetch and execute remote code, and it guides use of CLI login flows (including piping JSON to jq and sharing login URLs/keys). Those runtime instructions go beyond read-only docs and direct the agent/user to run potentially high-risk operations. The docs also instruct agents on account linking, auth-config creation, and manipulating organization/user contexts — powerful actions that legitimately belong to this skill but increase risk if misused or automated without safeguards.
Install Mechanism
There is no formal install spec in the registry, but the runtime docs explicitly tell users/agents to run curl | bash from composio.dev. Download-and-execute from a remote URL is high-risk unless the install source and release signatures are verified. The instruction offers no guidance about verifying the installer (checksums, signatures) or preferring a package manager or vetted release host.
Credentials
Registry metadata lists no required env vars, yet multiple files show examples that expect an API key (e.g., process.env.COMPOSIO_API_KEY). The skill will likely require credentials for SDK use and OAuth flows, but these aren't declared. The docs also include patterns for creating and managing OAuth clients and API-key-based auth configs — powerful operations that justify dedicated secrets but should be clearly declared and minimized. This mismatch is an incoherence and increases the chance a user will accidentally expose credentials or not realize what to supply.
Persistence & Privilege
The skill is not declared 'always: true' and is user-invocable; it does not request system-wide persistence in the registry. There's no install spec that writes files under nonstandard locations in the manifest, although the curl|bash step would if executed. Autonomous invocation is allowed (default) but not combined with other explicit privileged flags in the metadata.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern (system-prompt-override) was detected inside SKILL.md. This suggests the skill text contains constructs that could attempt to influence the agent's system prompt or behavior. This is unexpected for a CLI/SDK documentation file and should be reviewed manually. No other code-files were present for regex analysis.
What to consider before installing
This skill appears to be documentation for a real CLI/SDK (Composio) and could be useful if you trust the vendor, but there are several red flags to consider before installing or letting an agent act on it:
- Do NOT run curl -fsSL https://composio.dev/install | bash without verification. Download-and-execute from a URL can run arbitrary code on your machine. Prefer an official package (brew/apt/pnpm/pip) or verify the installer via checksums/GPG signatures or an official GitHub release.
- The registry metadata says no env vars are required, but the docs show examples using COMPOSIO_API_KEY. Expect to need an API key for SDK usage — only provide keys with least privilege and never paste secrets into untrusted shells or chat logs.
- The SKILL.md includes CLI commands that perform OAuth linking and tool execution. If you allow the agent to call these autonomously, it could act on your connected apps (send email, create issues, post messages). Consider disabling autonomous model invocation for this skill or audit every invocation policy if you don't want fully autonomous actions.
- A prompt-injection pattern was detected in the skill text. Review the SKILL.md manually for any instructions that attempt to override agent/system prompts or to exfiltrate data (e.g., by recommending to pipe outputs to remote endpoints). Remove or sandbox any such steps.
- If you need to try this: test in an isolated environment (VM/container) and with a disposable Composio account or limited-scope credentials. Inspect the install script before running it and verify the composio.dev domain and repository provenance (GitHub repo, official docs, company site, package signatures).
If you want, I can: (a) extract and display the exact install script content from the URL (if you fetch it) so you can inspect it, (b) highlight the lines in SKILL.md that reference secrets or the API key, or (c) suggest safer install/verification steps and a minimal permission strategy for OAuth/API keys.rules/tr-framework-integration.md:414
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk976p8mm8y7n8gf57qqxq56sbx843f93
License
MIT-0
Free to use, modify, and redistribute. No attribution required.