workflow-template-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The workflow requires the agent to run 'install', 'dev', and 'build' scripts from the source project to verify the template. This allows any repository being processed to execute arbitrary commands on the host system via project-defined build scripts (e.g., npm postinstall, custom build commands).
- CREDENTIALS_UNSAFE (HIGH): The skill is explicitly designed to handle and remove sensitive data like Stripe keys, Supabase URLs, and hard-coded tokens. Automated secret identification by an LLM is unreliable; failure to detect obfuscated or non-standard secrets will result in sensitive data being copied into the 'shareable' template output.
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) as it ingests large amounts of untrusted text from the source repository.
- Ingestion points: Every file within the
source_repo_rootand theextract_spec.mdfile. - Boundary markers: None. No delimiters or 'ignore embedded instructions' warnings are defined for the file-reading operations.
- Capability inventory: Extensive file-system write access (copying/deleting) and shell command execution (
install,dev,build). - Sanitization: Absent. The agent is instructed to 'copy + cleanup' without validation of the content being processed.
- REMOTE_CODE_EXECUTION (HIGH): By invoking installation and build tools on external projects, the skill facilitates RCE if the source project contains malicious dependency configurations or malicious code that executes during the build lifecycle.
Recommendations
- AI detected serious security threats
Audit Metadata