flow-next-work
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core design.
- Ingestion points: Reads and processes untrusted data from user-provided Markdown spec files and free-form 'Idea text'.
- Boundary markers: Absent. The skill does not use XML tags or specific delimiters to isolate untrusted input from its control logic.
- Capability inventory: Performs 'git add -A' and 'git commit' (via subagents), executes a bundled shell script 'flowctl', and invokes other agent skills with implementation privileges.
- Sanitization: None detected. An attacker could embed malicious instructions within a spec file to manipulate the Git history or exfiltrate codebase secrets during the execution phase.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a bundled script 'flowctl' located at '${CLAUDE_PLUGIN_ROOT}/scripts/flowctl'. While the script is part of the skill package, its operations are opaque to the agent, and it is used to perform system-level tasks like status tracking and backend configuration.
- [DATA_EXFILTRATION] (MEDIUM): The 'Review mode' features (Codex and RepoPrompt) imply the transfer of repository content or implementation details to external LLM services. This represents a risk of data exposure if sensitive information is processed without explicit user filtering.
Recommendations
- AI detected serious security threats
Audit Metadata