executing-workflow
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [Command Execution] (MEDIUM): The skill's data resolution logic for
cli:{platform}involves executing arbitrary shell commands defined asfallback_cmdwithin aworkflow-spec.yamlfile. Since this file is read from the filesystem based on user-provided skill names, it allows for the execution of potentially unsafe code if a malicious skill folder exists in the search path. - [Credential Access] (MEDIUM): The skill is explicitly designed to check for and utilize high-value environment variables (e.g.,
STRIPE_API_KEY) to authenticate CLI tools. While it does not hardcode these secrets, it provides a mechanism for external configurations to leverage these credentials in spawned processes. - [Indirect Prompt Injection] (LOW):
- Ingestion points: Reads
workflow-spec.yaml,SKILL.md, andworkflow.mdfrom directories matching the skill name. - Boundary markers: None. The agent treats the content of these files as trusted instructions for orchestration.
- Capability inventory: File system read/write, CLI command execution via
bun, and MCP tool calls. - Sanitization: There is no evidence of sanitization for the
fallback_cmdstrings or the{skill-name}variable used to construct file paths, which could lead to path traversal or command injection if the agent is tricked into loading a malicious path.
Audit Metadata