workflow-creator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface via external skill discovery.
- Ingestion points: The skill fetches and displays the contents of
SKILL.mdfiles from an external registry (https://skills.sh/) during the discovery phase (Step 1.2 and Prompt 1.5). - Boundary markers: External content is displayed to the agent/user without strict isolation markers (e.g., 'ignore embedded instructions'). A malicious skill on the registry could attempt to hijack the agent session when its content is read.
- Capability inventory: The skill possesses the ability to write new skill files to the local file system and list existing skills in
~/.claude/skills/. - Sanitization: No content sanitization is performed on external markdown before processing or display.
- [EXTERNAL_DOWNLOADS] (LOW): Communication with non-whitelisted external registry.
- The skill interacts with
https://skills.sh/for skill lookup and leaderboard fetching. This is the primary purpose of the skill, and risks are mitigated by the 'do not auto-install' policy, which requires the user to manually execute installation commands. - [COMMAND_EXECUTION] (LOW): Execution of bundled validation scripts.
- The skill uses
python3to run internal validation scripts (scripts/validate_workflow_spec.py,scripts/validate_skill_md.py). These scripts are local, deterministic, and use standard libraries to validate file structure and naming conventions.
Audit Metadata