skill-system-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the 'goal' and 'context' inputs provided to the 'plan' operation.\n
- Ingestion points: User-provided strings are ingested through the 'goal' and 'context' parameters and used to customize recipe tasks (e.g., in recipes/feature-flow.yaml) or passed to the core planning prompt (prompts/plan-workflow.md).\n
- Boundary markers: The instructions in 'scripts/plan-and-visualize.md' do not define boundary markers (like XML tags or delimiters) to isolate user input from the planning instructions.\n
- Capability inventory: The skill has file system and database read permissions ('fs.read', 'db.read') and generates tasks that can load other functional skills such as 'skill-system-postgres' and 'systematic-debugging'.\n
- Sanitization: There is no evidence of sanitization, escaping, or validation of user-provided content before it is interpolated into the workflow structure.
Audit Metadata