workflow-execute
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool for session discovery, task status updates, and version control. It executes commands such as find, jq, and git to manage artifacts within the .workflow/ and .task/ directories. Use of shell tools is limited to session management and progress tracking.
- [DATA_EXFILTRATION]: The skill reads session metadata, implementation plans, and task definitions from the local file system. This access is necessary for the skill's purpose of task coordination and context provision to sub-agents.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present because the skill processes task JSON files containing execution logic (pre_analysis steps and [FLOW_CONTROL] markers) which are passed to sub-agents.
- Ingestion points: .task/IMPL-*.json task files, TODO_LIST.md, and IMPL_PLAN.md.
- Boundary markers: The orchestration prompt to sub-agents does not include explicit delimiters or safety instructions to disregard instructions embedded in the task data.
- Capability inventory: Both the orchestrator and sub-agents have access to Bash, Agent (spawning), and Write tools.
- Sanitization: The skill relies on the structure of task files but does not perform content-level sanitization of the implementation logic provided in the JSON.
Audit Metadata