flow-impl-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection via untrusted data ingestion. The skill processes Git diffs, PRDs, architecture docs, and issue tracker data ('Beads').
- Ingestion Points:
SKILL.mdspecifies reading from git diffs, commit messages, PRD/architecture docs, and issue summaries (bd show). - Boundary Markers: Absent. There are no instructions for the agent to use delimiters or ignore instructions embedded in the code/docs being reviewed.
- Capability Inventory: Executes shell commands via
rp-cli(builder, chat, windows) andbd(show). - Sanitization: Absent. No logic is provided to sanitize or validate the content of the external files before they are processed by the CLI tools.
- [COMMAND_EXECUTION] (HIGH): The skill relies on the execution of non-standard, untrusted CLI tools (
rp-cliandbd) in the local environment. This grants the agent the ability to execute arbitrary commands if the tools themselves are malicious or if they can be manipulated via command injection in the arguments. - [DATA_EXFILTRATION] (MEDIUM): The 'Export for external LLM' feature facilitates the gathering and packaging of sensitive repository data (code, diffs, internal docs) for transport to external services. While this requires user interaction, it streamlines the removal of sensitive internal context from the secure local environment.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The instructions reference external files
workflow.mdandrp-cli-reference.md. If these files are not local but retrieved from an untrusted source, they could provide a secondary vector for malicious instruction injection.
Recommendations
- AI detected serious security threats
Audit Metadata