The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses several shell subprocesses involving ffmpeg, ffprobe, git, and local scripts located in .flowchad/../scripts/. These commands interpolate variables such as $FLOW_NAME (derived from user input) and $SELECT_EXPR (derived from recorded actions) without sanitization, creating a high risk of command injection.
[DATA_EXFILTRATION]: The execution logic explicitly resolves $ENV_VAR references from the host environment within the flow definition. If a malicious flow definition is processed, an attacker could access and exfiltrate sensitive secrets or credentials stored in environment variables.
[REMOTE_CODE_EXECUTION]: The combination of arbitrary browser interaction via Playwright and the insecure execution of shell commands based on browser output/input names provides a direct pathway for remote code execution on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted flow data from .flowchad/flows/ without boundary markers or sanitization, potentially triggering the aforementioned high-severity command execution and data exposure vulnerabilities.

flow-walk