workflow-orchestrator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill is hosted at
github.com/Charon-Fan/agent-playbook, which is not on the trusted repository or organization list. - [COMMAND_EXECUTION] (MEDIUM): The logic involves executing 'follow-up actions' in 'auto' and 'background' modes. This creates an execution path for potentially arbitrary commands defined in configuration files.
- [Indirect Prompt Injection] (MEDIUM): The skill exhibits an attack surface for indirect injection. Evidence Chain: 1. Ingestion points: Reads hook definitions from
skills/auto-trigger/SKILL.md. 2. Boundary markers: None documented in the README or implementation overview. 3. Capability inventory: Executes actions (including background tasks) and logs session context. 4. Sanitization: None documented; the skill appears to trust the content of the SKILL.md file implicitly. If a malicious process or another skill modifies the trigger file, the orchestrator will execute those injected actions.
Audit Metadata