claude-to-deerflow
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes data from an external AI platform (DeerFlow), which introduces a surface for indirect prompt injection if the external service returns malicious instructions.
- Ingestion points: Data enters the agent context through the
scripts/chat.shscript, which reads responses from the${LANGGRAPH_URL}/threads/${THREAD_ID}/runs/streamendpoint. - Boundary markers: The skill does not implement boundary markers or instructions to disregard embedded commands in the received data.
- Capability inventory: The skill's capabilities are limited to HTTP network requests (
curl) and JSON processing via Python. It does not possess capabilities for arbitrary command execution or broad filesystem access. - Sanitization: The scripts parse and display the AI's response text without specific sanitization filters for embedded prompt instructions.
- [COMMAND_EXECUTION]: The skill executes local logic via bash and Python scripts (
scripts/chat.sh,scripts/status.sh). These scripts are static components of the skill and perform intended API communication tasks. - [DATA_EXFILTRATION]: The skill transmits user messages and files to the configured DeerFlow API endpoint. This is documented as the primary function of the skill, and the destination URLs default to
localhostunless explicitly configured by the user via environment variables.
Audit Metadata