flow
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (MEDIUM): The
init.mdcommand installs a persistentSessionStarthook in.claude/settings.json. This hook is configured to execute a local shell script (flow-bootstrap.sh) every time a new session starts. While persistence is the intended purpose for context recovery, session hooks are a high-privilege mechanism. The severity is downgraded from HIGH to MEDIUM as it is the primary stated purpose of the skill. - Indirect Prompt Injection (LOW): The
flow-bootstrap.shscript reads various project-local files and injects their content into the agent's context asadditionalContext. This creates an attack surface where malicious content in project files (e.g., from an untrusted PR) could manipulate agent behavior. - Ingestion points: Content is read from
.work/brief.md,.work/state.md,.work/items/*/ITEM.md, and.work/log.mdwithin thescripts/flow-bootstrap.shscript. - Boundary markers: The script uses Markdown headers (e.g.,
## Project Brief) to separate context but lacks explicit delimiters or instructions to the AI to ignore instructions embedded within these files. - Capability inventory: The skill allows for comprehensive file system modifications and shell command execution through its execution, research, and planning methodologies.
- Sanitization: The script performs structural JSON escaping to maintain parseability but does not perform any semantic filtering or sanitization of the content for prompt injection patterns.
Audit Metadata