flow-next
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a bundled script
flowctllocated in the plugin root. It uses shell-based data passing methods like heredocs (<<'EOF') and temporary files in/tmp/. If input titles or descriptions are not properly sanitized before being passed to these shell commands, it could lead to command injection. - [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from the
.flow/directory using commands like$FLOWCTL catand$FLOWCTL show. - Ingestion points: Reads epic and task specifications from the filesystem.
- Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: Has the ability to execute shell commands and modify local files via
$FLOWCTL. - Sanitization: None detected. Malicious instructions embedded in a task's markdown description could influence the agent's next actions.
Audit Metadata