App Connectors
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly an app connector, but it gives the agent broad ability to use a Composio API key and OAuth connections to act across many third-party apps without enough declared scope or confirmation controls.
Use this skill only if you are comfortable giving an agent Composio-mediated access to your connected apps. Before enabling it, configure a least-privilege Composio API key, connect only the apps you need, avoid shared `default` identities, and require the agent to show and confirm any action that sends, posts, modifies, deletes, or disconnects data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is prompted badly, it could perform real actions in connected apps, such as sending messages or changing account data.
The skill tells the agent to call a generic execution endpoint for app actions and permits batching many actions, but does not require per-action confirmation, an allowlist, a dry-run, or other safeguards.
Execute Tools (COMPOSIO_MULTI_EXECUTE_TOOL) ... "tool_slug": "GMAIL_SEND_EMAIL" ... "Rules:" ... "Batch independent tools in a single call (max 50)"
Require explicit user confirmation before every mutating or external-facing action, show the exact app/tool/arguments first, restrict allowed apps and tool slugs, and reduce or disable bulk execution by default.
Users may not realize installation/use requires a credential capable of controlling connected third-party apps through Composio.
The skill requires a sensitive credential and instructs the agent to look in secret stores, while the registry metadata declares no required env vars or primary credential. That key can authorize management and execution through connected app accounts.
"Required:" - `COMPOSIO_API_KEY` — Project-scoped API key from Composio ... "If not in env, check the framework's secrets provider (vault, secrets.json, .env)."
Declare COMPOSIO_API_KEY in metadata, document the exact Composio and OAuth scopes needed, use least-privilege project keys, and require user permission before reading from vaults, .env files, or secrets.json.
The agent could list or act through the wrong connected account if multiple users, entities, or workspaces share the same Composio project.
The instructions hardcode `user_uuid=default` for listing connected accounts and for the /apps flow, which can confuse or mix identities if used in a shared or multi-user environment.
Use the v1 REST API to get all active connections for the current entity: `.../v1/connectedAccounts?user_uuid=default&showActiveOnly=true`
Bind Composio operations to an explicit per-user or per-workspace entity ID instead of `default`, and show the selected account/entity before connecting or executing actions.
Data placed into tool arguments, such as email recipients and message bodies, will transit a third-party API.
Tool arguments and app content are sent to Composio's external backend. This is expected for this connector, but the artifact does not describe retention, logging, or data handling.
Base URL: `https://backend.composio.dev/api` ... "arguments": { "to": "john@example.com", "subject": "Hello", "body": "Welcome!" }Review Composio's privacy and retention policies, avoid sending unnecessary sensitive data, and disclose to users when app content is being sent through Composio.