griffin-cli
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of the
griffinCLI, which is a vendor-owned resource for 'griffin-open-source'. The instructions specify the use of the--jsonglobal flag to ensure the agent receives structured, machine-readable data, which is a key safety measure for command execution. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it processes monitor files (JavaScript and TypeScript) within the project.
- Ingestion points: Monitor files located in
__griffin__directories, discovered via thegriffin validateorgriffin testcommands. - Boundary markers: The skill enforces an execution contract requiring the agent to parse exactly one JSON object from stdout/stderr, which serves as a delimiter to prevent the agent from treating untrusted monitor output as valid instructions.
- Capability inventory: Subprocess calls to the
griffinbinary, including capabilities to modify cloud resources (apply,destroy) and manage sensitive configuration (secrets set). - Sanitization: The skill relies on the CLI's internal validation (
griffin validate) and the--jsonoutput format to ensure data integrity during processing. - [CREDENTIALS_UNSAFE]: The skill manages authentication tokens and secrets. It uses a standard vendor-specific path (
~/.griffin/credentials.json) for credential storage and utilizes a two-step device flow for browser-based authentication, ensuring the agent does not directly handle the user's primary login credentials.
Audit Metadata