workflow-lite-plan
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Task descriptions and file contents provided by the user are interpolated directly into instructions for sub-agents (e.g.,
cli-explore-agent) and command-line interfaces (e.g.,ccw cli). - Ingestion points: Untrusted data enters the context via the
task-descriptionargument and external files read via theReadtool in02-lite-execute.md. - Boundary markers: No explicit boundary markers or 'ignore' instructions are used to wrap the interpolated user content.
- Capability inventory: The skill utilizes powerful tools including
Bash,Task(agent spawning),Write, andEdit. - Sanitization: No sanitization or validation of the task description is performed before it is embedded into executable prompt templates.
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform environment setup, project discovery, and task execution. Specifically, it executes: - File system operations like
mkdir -pandtest -dto manage session folders. - Codebase exploration commands such as
find,rg, and vendor-specific scripts likeget_modules_by_depth.sh. - A proprietary CLI tool
ccwfor project context loading (ccw spec load), task synchronization (/workflow:session:sync), and code implementation (ccw cli). - [DATA_EXPOSURE]: The skill accesses configuration and schema files located in the user's home directory (e.g.,
~/.ccw/workflows/cli-templates/schemas/plan-overview-base-schema.jsonand~/.claude/cli-tools.json). While these are used for the tool's internal logic, accessing the home directory expands the skill's data exposure surface beyond the immediate project scope.
Audit Metadata