skills/datadrivenconstruction/ddc_skills_for_ai_agents_in_construction/workflow-automation/Gen Agent Trust Hub
workflow-automation
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The generate_airflow_dag method in SKILL.md uses f-strings to manually assemble Python code. It embeds variables such as workflow_id, description, and task_id directly into the script template without escaping or sanitization. This creates a vulnerability where a maliciously crafted workflow definition could inject arbitrary Python code into the resulting DAG file.\n- [DATA_EXFILTRATION]: The skill requires and uses the filesystem permission to read from and write to arbitrary file paths provided in the task configurations (e.g., in _extract_csv, _extract_excel, and _load_csv). Without path validation or sandboxing, this capability could be used to access or overwrite sensitive system files if the agent is directed to unintended paths.\n- [PROMPT_INJECTION]: The skill implements an ingest-and-process pattern where data from external files (CSV, Excel) is loaded into the agent context. This presents a surface for indirect prompt injection.\n
- Ingestion points: Data is ingested through the _extract_csv and _extract_excel methods in SKILL.md.\n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing the data.\n
- Capability inventory: The skill can read/write to the filesystem and generate executable Python scripts.\n
- Sanitization: There is no evidence of sanitization or validation of the content within the ingested data files.
Audit Metadata