Skills
skills/catlog22/claude-code-workflow/workflow-execute/Gen Agent Trust Hub

workflow-execute

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data and interpolates it into prompts for sub-agents and LLM analysis tools.
  • Ingestion points: The skill reads implementation plans (IMPL_PLAN.md), task definitions (.task/*.json), and task summaries (.summaries/*.md).
  • Boundary markers: The Agent prompt template uses headers like 'Input:', 'Output Location:', and 'Execution:', which provide some structure but may not prevent an LLM from obeying instructions embedded in the variable data.
  • Capability inventory: The orchestrator has access to powerful tools including Bash, Agent (launching sub-agents), Write, and Edit.
  • Sanitization: No sanitization or escaping is performed on the task titles ({task.title}) or summary content before they are injected into the agent's prompt or the ccw cli analysis commands.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to perform legitimate workflow management tasks.
  • Evidence: It executes commands such as jq for JSON manipulation, find for session discovery, and git for automatic commits of implemented tasks.
  • Evidence: In Phase 6, it uses rg (ripgrep) to search for potential secrets and vulnerabilities as part of a defensive security review process.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 12:42 PM