flow-next-plan-review
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill implements an automated 'Fix Loop' that performs file modifications and state changes (
epic set-plan,task set-spec) usingflowctl. The instructions explicitly command the agent to bypass user confirmation ('Do NOT ask user for confirmation... Never use AskUserQuestion in this loop'), which removes the human-in-the-loop safety check for potentially destructive operations. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill utilizes
evalto process the output of a local command:eval "$($FLOWCTL rp setup-review ...)". Althoughflowctlis a bundled tool, the use ofevalon command output is a dangerous pattern that can lead to arbitrary code execution if the tool's output is influenced by untrusted data. - [INDIRECT PROMPT INJECTION] (LOW): The skill is vulnerable to indirect injection as it processes external files and arguments without sanitization.
- Ingestion points: Epic specifications (
.flow/specs/${EPIC_ID}.md), task specifications, and$ARGUMENTS. - Boundary markers: None detected; the skill directly parses content from markdown files using
grepand heredocs. - Capability inventory: Ability to execute shell commands, write to the filesystem via
flowctl, and performevalon command output. - Sanitization: No evidence of sanitization or validation of the content being read from spec files before it is passed to shell commands or used in the fix loop.
Audit Metadata