Fluxwing Component Expander
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): In Step 5a, the skill executes a shell command using the
uv runutility. The command interpolates the{component-name}variable directly into the bash string (./fluxwing/components/{component-name}.uxm). If a user or attacker creates a file with shell metacharacters in its name (e.g.,component; rm -rf /.uxm), it could lead to arbitrary command execution when the validation step is triggered. - DYNAMIC_EXECUTION (MEDIUM): The skill executes a Python script (
quick_validate.py) located at a relative path outside the skill's root ({SKILL_ROOT}/../uxscii-component-creator/). This creates a dependency on an external environment and code that is not contained within the skill's own package, which could be modified or replaced by an attacker to achieve persistent code execution. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: The skill reads user-controlled files
{component-name}.uxmand{component-name}.mdfrom the./fluxwing/directory. - Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are used when processing the content of these files.
- Capability inventory: The skill has
Write,Edit, andBashcapabilities, which are used to modify local files and execute validation logic. - Sanitization: There is no evidence of sanitization or validation of the content extracted from the
.uxmor.mdfiles before it is used to generate new states or update the filesystem. - DATA_EXFILTRATION (LOW): The use of the
Bashtool and the ability to use parent directory references (../) in paths allows for potential traversal of the filesystem beyond the intended project scope, though no explicit exfiltration logic was detected.
Audit Metadata