skill-system-workflow
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface in its core planning functionality.
- Ingestion points: The
goalandcontextinput parameters in theplanoperation (SKILL.md) are the primary entry points for untrusted data. - Boundary markers: Absent. The planning prompt (
prompts/plan-workflow.md) uses simple headers but lacks strong delimiters (like XML tags or specific 'ignore embedded instructions' warnings) to isolate the user-provided goal from the system instructions. - Capability inventory: The skill manifest defines
fs.readanddb.readcapabilities. While the skill itself is a planning engine, its output (the DAG) is designed to be executed by other agents, potentially allowing an attacker to influence the sequence of operations performed by the agent system. - Sanitization: No sanitization, validation, or escaping logic is applied to the input strings before they are interpolated into the prompt templates.
- [NO_CODE]: The skill consists entirely of Markdown procedures, YAML configuration, and LLM prompts. No executable binaries, Python scripts, or JavaScript files are distributed with the skill, which significantly reduces the attack surface for direct code-based execution.
Audit Metadata