workflow
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to load and execute instructions from external SKILL.md files. This creates a surface for indirect prompt injection.
- Ingestion points: Reads instructions from .agents/skills/workflow-/SKILL.md and ~/.agents/skills/workflow-/SKILL.md.
- Boundary markers: No delimiters or ignore embedded instructions warnings are implemented when executing sub-workflows.
- Capability inventory: The agent has access to Read, Write, Bash, Glob, and Grep tools during execution.
- Sanitization: No validation or sanitization of the instructions loaded from the workflow files is performed.
- [COMMAND_EXECUTION]: Uses the Bash tool to perform filesystem operations like directory creation (mkdir -p) and manages the execution of workflows that can contain arbitrary shell commands.
- [DATA_EXFILTRATION]: Accesses the user's home directory at ~/.agents/skills/ to list and run workflows. This location can contain sensitive information or credentials from other skills stored in the same directory structure.
- [REMOTE_CODE_EXECUTION]: Since the skill executes instructions from files within a local project directory, it allows for code execution from untrusted sources if a user interacts with a malicious repository containing workflow definitions.
Recommendations
- AI detected serious security threats
Audit Metadata