ccw
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically assembles shell-like command strings for execution by sub-agents, using untrusted data sources.
- Evidence: The
buildSkillCallfunction performs direct string interpolation of the user'sintentand artifact data (likeplan_dir,analysis_dir, etc.) into the command line using.replace(). - Risk: If a user provides an intent containing shell metacharacters (e.g.,
;,$(...),&&), or if an artifact generated by a previous skill is tampered with, it could lead to the execution of arbitrary commands whenspawn_agents_on_csvprocesses the wave. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it consumes and acts upon data generated by other tools/skills in the pipeline.
- Ingestion points: File artifacts such as
.workflow/.analysis/ANL-*/conclusions.json,.workflow/active/WFS-*/workflow-session.json, and.workflow/.lite-plan/*/plan.jsonare read and their contents (e.g.,gaps,phase,task_count) are used to construct subsequent commands. - Capability inventory: The skill has access to
spawn_agents_on_csv,Bash,Write, andEdit, allowing it to perform significant system operations. - Boundary markers: The instructions passed to sub-agents (
WAVE_INSTRUCTION) lack explicit delimiters or warnings to ignore instructions embedded within the parameters of theskill_call. - Sanitization: While the skill performs basic CSV escaping (doubling quotes), it does not sanitize the logical content of the strings being placed into executable contexts.
Audit Metadata