run-iflow
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill utilizes a CLI-based plugin (
mcp__plugin_headless-knight_runCLI__iflow) and references an environment variableIFLOW_CLI_COMMANDto define the executable path. If the environment is not properly isolated, this could lead to the execution of unintended binaries. - CREDENTIALS_UNSAFE (LOW): The skill documentation explicitly mentions the use of
IFLOW_API_KEY. While it does not hardcode a key, it highlights the requirement for sensitive credentials to be present in the environment. - DATA_EXFILTRATION (MEDIUM): The primary purpose of the skill is to send 'complete task descriptions' and 'system prompts' (which may contain sensitive user data or conversation history) to an external, third-party assistant service.
- INDIRECT PROMPT INJECTION (LOW): The skill is highly susceptible to indirect prompt injection as it interpolates conversation context into the
promptandsystemPromptarguments for an external LLM without visible sanitization or boundary markers. - Ingestion points: The
promptandsystemPromptparameters are derived directly from the user conversation context. - Boundary markers: None are specified in the tool definition to separate user data from instructions.
- Capability inventory: The skill has network access (via the CLI tool) and the ability to process and transmit full context fragments.
- Sanitization: No sanitization or validation of the input strings is mentioned.
Audit Metadata