Composio Connect

The skill is classified as suspicious due to its broad capabilities, which, while aligned with its stated purpose, introduce significant security risks. It instructs the agent to install an external npm package (`mcporter`) and execute shell commands, including configuring `mcporter` with a URL from an environment variable (`$COMPOSIO_MCP_URL`). While there is no explicit evidence of intentional malicious behavior like data exfiltration or backdoor installation within the provided files, the ability to install arbitrary packages and make external network calls via `mcporter` (e.g., `mcporter call 'composio.GMAIL_CREATE_DRAFT(...)'`) presents a supply chain risk and a potential attack surface if the `mcporter` package or the `COMPOSIO_MCP_URL` were compromised or manipulated. The `SKILL.md` file contains these instructions.