flowsterix-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Potential surface for Indirect Prompt Injection. The library executes user-provided JavaScript callbacks within FlowDefinition objects to manage UI state transitions (e.g.,
onEnter,migrate,predicate). If an agent processes or generates these definitions based on untrusted external data, there is a risk of arbitrary logic execution in the client environment. \n - Ingestion points: Flow definitions ingested by the
TourProviderinexamples/basic-flow.tsx. \n - Boundary markers: None identified; definitions are treated as trusted configuration code. \n
- Capability inventory: Capability to perform DOM queries, simulate clicks, and make network requests via
fetch()as demonstrated inexamples/lifecycle-hooks.tsxandexamples/waitfor-async.tsx. \n - Sanitization: The framework does not sanitize the logic within provided hooks, relying on the host application for safety. \n- [DATA_EXFILTRATION] (SAFE): Network activity is restricted to application-relative paths (e.g.,
/api/tour-state,/api/analytics) for legitimate state persistence and telemetry. No exfiltration patterns to third-party or attacker-controlled domains were found. \n- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded secrets or API keys were detected. Code examples use standard authorization patterns with dynamic token retrieval (e.g.,getToken()).
Audit Metadata