Skills
skills/gmickel/flow-next-opencode/flow-next-opencode-plan-review/Gen Agent Trust Hub

flow-next-opencode-plan-review

Warn

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses eval to execute shell commands generated by the flowctl tool, which is a form of dynamic execution.
  • Evidence: The skill executes eval "$($FLOWCTL rp setup-review ...)" in both workflow.md and flowctl-reference.md.
  • Risk: This pattern can lead to arbitrary command execution if the tool output includes unescaped characters from user-controlled metadata or project content like epic summaries.
  • [COMMAND_EXECUTION]: The skill relies extensively on executing local CLI tools and shell scripts to manage project state.
  • Evidence: It frequently calls git, rp-cli, and a bundled tool located at .opencode/bin/flowctl across SKILL.md and workflow.md.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted markdown data from project specifications.
  • Ingestion points: The skill reads markdown files from .flow/specs/ and .flow/tasks/ to build review prompts (as described in workflow.md).
  • Boundary markers: The skill attempts to delimit content using markdown headers, --- separators, and <file_contents> XML tags in the generated prompt.
  • Capability inventory: The skill has the ability to read project files, write updated plan specifications via flowctl epic set-plan, and modify task specifications.
  • Sanitization: There is no evidence of sanitization or escaping for the ingested markdown content before it is interpolated into the prompt sent to the LLM backend.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 7, 2026, 09:07 AM