airflow-hitl
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill provides templates for ingesting untrusted human data into automated workflows.
- Ingestion points: Data enters the agent context via
result['chosen_options']in HITLOperator andresult['params_input']in HITLEntryOperator examples inSKILL.md. - Boundary markers: No specific delimiters or warnings to the model to ignore instructions embedded in the human-provided text are present in the provided templates.
- Capability inventory: The skill demonstrates minimal capabilities, primarily printing input to task logs. No dangerous functions like
os.system,subprocess.run,eval, or file-write operations are used. - Sanitization: External content is not sanitized before interpolation into log messages, though the impact is negligible in the provided examples.
- [Dependency Analysis] (SAFE): The skill correctly references
airflow.providers.standard.operators.hitlandairflow.sdk, which are standard components for the upcoming Airflow 3.x release. No untrusted third-party dependencies were detected. - [Remote Code Execution] (SAFE): No remote script downloads or dynamic execution patterns (such as piped curl commands) were found in the provided code blocks.
Audit Metadata