writing-agent-relay-workflows
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill documents a 'Step Output Chaining' mechanism (
{{steps.X.output}}) that interpolates the output of one step into the task prompt of a subsequent agent. This creates a surface for indirect prompt injection if the source data is untrusted or contains adversarial instructions.\n - Ingestion points: Interpolation of previous step results into agent
taskinstructions as shown inSKILL.md.\n - Boundary markers: The examples do not demonstrate the use of delimiters or 'ignore' instructions for the interpolated content.\n
- Capability inventory: The agents have capabilities to write files, execute various AI CLI tools (claude, aider, etc.), and run host shell commands.\n
- Sanitization: No sanitization or validation of the interpolated data is documented or demonstrated in the examples.\n- [COMMAND_EXECUTION]: The workflow system supports 'deterministic' steps that execute shell commands directly on the host system. While this is a documented core feature for file verification and build automation, it represents a high-privilege capability that should be used with caution and validated inputs.
Audit Metadata