workflow-creator
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's documentation, specifically in
references/agent-sessions.mdandreferences/session-config.md, promotes the use of flags such as--allow-dangerously-skip-permissionsandpermissionMode: "bypassPermissions". These settings are intended to allow agents to execute tools autonomously in background sessions without interactive user confirmation, which removes a critical security safeguard. - [REMOTE_CODE_EXECUTION]: The skill is designed to author and execute dynamic TypeScript code within
.run()andctx.stage()callbacks. This framework essentially performs runtime execution of user-generated or agent-generated script files located in the.atomic/workflows/directory. - [DATA_EXFILTRATION]:
references/computation-and-validation.mdprovides implementation examples for reading local files (e.g.,tsconfig.json) using thefs/promisesmodule and sending data to external network endpoints using thefetch()API. This combination of file system access and network capability creates a technical vector for data exfiltration. - [EXTERNAL_DOWNLOADS]: The
references/discovery-and-verification.mdfile instructs users to install multiple Node.js packages, including@bastani/atomicand several provider-specific SDKs, which are external dependencies executed by the runtime. - [PROMPT_INJECTION]: The skill architecture relies on passing transcripts and data between different agent sessions via
s.transcript()ands.getMessages().SKILL.mdidentifies this as an indirect prompt injection surface. While it recommends using XML tags for structure, it does not mandate rigorous sanitization of untrusted data before it is interpolated into subsequent session prompts.
Audit Metadata