Composio
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a legitimate-looking Composio connector, but it deserves review because it gives an agent broad delegated power to act across many connected apps using a Composio API key and OAuth connections.
Install only if you intend to let your agent use Composio as a broad automation gateway. Before use, verify the Composio domain and publisher, protect the API key, connect only the apps and scopes you need, and require manual confirmation before the agent sends messages, changes data, or performs other side-effecting actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses this skill too freely, it could perform real actions in connected apps such as sending messages or changing workspace data.
A single generic execution endpoint can invoke many app actions, including sending email, and the visible instructions do not define approval gates or action limits.
Every tool is called through one endpoint — the tool slug goes in the URL: `POST /api/v3/tools/execute/{TOOL_SLUG}` ... `GMAIL_SEND_EMAIL`Use least-privilege Composio projects/connections, require explicit user confirmation for any write/send/delete action, and review each tool schema before execution.
A Composio API key or connected account could grant the agent access to sensitive third-party services beyond what the user expects from the metadata.
The skill requires a provider API key and delegated OAuth/API app connections, but the registry metadata does not declare those credentials.
metadata: `Env var declarations: none` / `Primary credential: none`; SKILL.md: `Auth: All requests require x-api-key: YOUR_API_KEY` and `Creates or checks OAuth/API connections for toolkits.`
Declare the required credential in metadata, store the API key securely, restrict connected apps/scopes, and revoke unused connected accounts.
Provider-generated guidance could influence the agent's workflow and should be treated as advisory, not authoritative.
The agent is instructed to incorporate provider-returned plans and pitfalls before acting; this is purpose-aligned, but those returned instructions should not override the user's goal.
`COMPOSIO_SEARCH_TOOLS` ... `Returns tool schemas, execution plans, connection status, and pitfalls.` ... `Review the recommended_plan_steps and known_pitfalls before executing.`
Keep user instructions and safety checks higher priority than Composio-returned planning text.
Task details may be retained or reused within a Composio workflow session.
The skill sends task descriptions and known fields to Composio sessions that are reused across calls; the artifact itself warns not to include personal identifiers.
`session.generate_id` ... `Reuse the session ID returned from first call` and `queries[].known_fields` ... `No personal identifiers here.`
Avoid placing secrets, personal identifiers, or unnecessary private data in search queries or known_fields.
Users have less registry-level information to verify that this skill is the intended Composio integration.
The registry entry lacks source/homepage provenance while directing users to an external service that will receive API-authenticated requests.
metadata: `Source: unknown`, `Homepage: none`; SKILL.md: `API Base: https://backend.composio.dev/api/v3`
Verify the publisher and domains independently before entering an API key or connecting sensitive accounts.