atmos-workflows
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands and scripts through the
type: shellattribute in workflow YAML files, which allows for high-privilege operations on the host system.\n- [EXTERNAL_DOWNLOADS]: The workflow system includes adependenciesfeature that auto-installs external tools (e.g.,tflint,checkov) based on specified versions, creating a path for untrusted software to enter the environment.\n- [EXTERNAL_DOWNLOADS]: Documentation examples illustrate the use of commands likewgetto download external archives from remote URLs during the execution of a workflow step.\n- [REMOTE_CODE_EXECUTION]: Since the skill executes instructions directly from YAML configuration files, any compromise of the files in thestacks/workflows/directory or the repository could lead to unauthorized remote code execution.\n- [PROMPT_INJECTION]:\n - Ingestion points: The agent loads and processes external workflow definitions from YAML files stored in the local file system.\n
- Boundary markers: There are no documented mechanisms to sanitize command strings or distinguish between legitimate administrative instructions and malicious injections within the workflow files.\n
- Capability inventory: The skill provides full shell access and infrastructure management capabilities (via Atmos/Terraform), which can be abused if the input YAML is manipulated.\n
- Sanitization: The engine lacks a validation layer or whitelist for commands, relying entirely on the integrity of the configuration files.
Audit Metadata