flow-next-epic-review
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
evalto execute the output of theflowctl rp setup-reviewcommand inworkflow.mdandflowctl-reference.md. This pattern of dynamic execution can be risky if the tool output is influenced by untrusted external data.\n- [COMMAND_EXECUTION]: The skill implements an automated 'Fix Loop' inSKILL.mdandworkflow.mdthat performsgit addandgit commitoperations without user confirmation. While intended for automation, this could lead to unintended repository changes if the AI backend provides incorrect or malicious 'fixes'.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from the repository (epic specs, task descriptions, and source code) and interpolates it directly into a prompt sent to an external reviewer (RepoPrompt).\n - Ingestion points:
workflow.mdreads epic specs via$FLOWCTL cat, task lists via$FLOWCTL tasks, and source code viagit diff.\n - Boundary markers: The skill uses markdown headers and an XML-like
<file_contents>section inworkflow.mdto delimit data, but lacks robust protection against adversarial content that mimics these boundaries.\n - Capability inventory: The agent can execute shell commands via
flowctl, write temporary files to/tmp, and modify the git repository's history.\n - Sanitization: There is no evidence of sanitization or escaping applied to the content of the specs or code files before they are interpolated into the prompt sent to the AI reviewer.
Audit Metadata