nextflow-development
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The skill facilitates the download and direct execution of a shell script from an untrusted external domain (get.nextflow.io) using the piped bash pattern. This pattern allows for arbitrary code execution without verification of the script content and is flagged as a high-risk security issue.\n
- Evidence: Found in
SKILL.mdandreferences/installation.md:curl -s https://get.nextflow.io | bash.\n- Command Execution (HIGH): The skill instructs the agent to execute commands with elevated privileges (sudo) for environment setup and service management, which can lead to unauthorized system modifications if misused.\n - Evidence:
SKILL.mdcontainssudo usermod -aG docker $USERandsudo systemctl start docker.\n- External Downloads (MEDIUM): The skill is designed to interact with and download data from external genomic repositories (NCBI/GEO/SRA), involving significant network operations to non-whitelisted domains.\n - Evidence: Referenced in
scripts/utils/__init__.pyand Step 0 ofSKILL.md.\n- Indirect Prompt Injection (LOW): The skill processes user-supplied file and directory names to infer metadata for pipeline configuration. These values are used in command-line templates, creating a surface for indirect prompt injection.\n - Ingestion points:
scripts/detect_data_type.pyandscripts/utils/file_discovery.pyscan user-provided directories.\n - Boundary markers: None identified in command templates.\n
- Capability inventory: Arbitrary shell command execution via
nextflowand local python scripts.\n - Sanitization: Partial sanitization via regex in
scripts/utils/sample_inference.py.
Recommendations
- HIGH: Downloads and executes remote code from: https://get.nextflow.io - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata