flow-work
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Vulnerability to Indirect Prompt Injection.
- Ingestion points: The skill reads external markdown plan files (plans/*.md) and Beads issue descriptions (via bd show/search) as documented in phases.md.
- Boundary markers: Absent; there are no instructions to the agent to delimit or ignore instructions embedded within these external files.
- Capability inventory: High; the skill has the ability to write code, execute tests, perform git operations (checkout, commit, push), and invoke sub-agents like /flow:impl-review for automated fixes.
- Sanitization: Absent; data from external plans is directly used to drive the task list and execution loop.
- COMMAND_EXECUTION (SAFE): The skill executes shell commands for git management and utilizes proprietary CLI tools (rp-cli, bd). These operations are necessary for the skill's intended purpose of managing a development workflow and do not represent unauthorized privilege escalation.
Audit Metadata