workflow-lite-execute
Fail
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically assembles shell commands for execution via the Bash tool by interpolating content from the buildExecutionPrompt function into a command string (ccw cli -p "..."). The interpolated content includes originalUserInput and task descriptions sourced from external files. This pattern is vulnerable to shell command injection if the input data contains shell metacharacters like double quotes, backticks, or semicolons.- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests data from external files provided via Read(filePath) and task definitions in the .task/ directory, then interpolates this untrusted data into prompts for the Agent and the ccw CLI.
- Ingestion points: Read calls in Mode 3 and the loadTaskFiles function.
- Boundary markers: None. The prompt builder uses standard markdown headers but fails to provide instructions to ignore malicious content within the data sections.
- Capability inventory: The skill has access to Bash for shell execution, Agent for subagent tasks, and Write/Edit for file system modifications.
- Sanitization: No escaping or validation is performed on the ingested content before prompt interpolation.
Recommendations
- AI detected serious security threats
Audit Metadata