flowi
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): Potential for indirect prompt injection via the visual feedback loop.\n
- Ingestion points:
SKILL.mdinstructs the agent to "Read the JSON file back from .flowi/" to observe user modifications.\n - Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat node labels or descriptions as untrusted data.\n
- Capability inventory: The agent uses the diagram's structured data to "Update your implementation plan accordingly," meaning injected instructions could alter the agent's system design and implementation steps.\n
- Sanitization: Absent. The skill does not validate or sanitize the string content of diagrams before processing.\n- [COMMAND_EXECUTION] (LOW): Requires execution of a local Node.js server.\n
- Evidence:
SKILL.mdprompts the user to runnode ~/.claude/skills/flowi/server.js.\n - Context: The risk is mitigated by the server's restriction to the loopback interface (127.0.0.1) and internal checks that prevent writing files outside the designated directory.
Audit Metadata