The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to install the workflow package via npm i workflow. On the public npm registry, the workflow package is an unmaintained legacy library from 2013 and is not the official SDK for Vercel Workflow, which typically uses @upstash/workflow. This brand impersonation suggests a high risk of a supply chain attack.
REMOTE_CODE_EXECUTION (HIGH): The documentation encourages running npx workflow web and other CLI tools from the unverified workflow package. This allows for arbitrary code execution on the host machine from an untrusted source.
COMMAND_EXECUTION (HIGH): Several commands, including npx workflow inspect runs and npx workflow web, are recommended for use. These commands execute binaries from an unverified package that lacks a clear trust chain.
PROMPT_INJECTION (LOW): The chatWorkflow AI agent example processes untrusted user messages and has access to web search tools and the network, creating a significant surface for indirect prompt injection (Category 8).
Ingestion points: chatWorkflow(messages: UIMessage[]) in SKILL.md.
Boundary markers: Absent; the agent processes input messages directly without delimiters or system instructions to ignore embedded commands.
Capability inventory: The agent has access to a searchWeb tool and makes arbitrary network requests via an override of the global fetch (file: SKILL.md).
Sanitization: Absent; no input validation or output filtering is demonstrated.

vercel-workflow