workflow-creator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The
scripts/download_skill.pyutility allows for the downloading of content from any user-provided GitHub repository URL. - Evidence: The
download_skillfunction inscripts/download_skill.pyaccepts arepo_urlparameter and executes agit clonecommand usingsubprocess.runwithout restricting the source to trusted domains or organizations. - REMOTE_CODE_EXECUTION (HIGH): The skill is designed to 'install' remote packages (skills) directly into directories where the AI agent is configured to read instructions and execute tasks.
- Evidence:
scripts/download_skill.pycopies downloaded content into./.claude/skills/, andscripts/create_workflow.pycreates multiple symlinks (e.g.,.cursor/skills,.windsurf/skills) pointing to this directory, effectively placing unverified remote code into the agent's runtime environment. - COMMAND_EXECUTION (MEDIUM): The skill executes system-level commands to manage the environment and fetch dependencies.
- Evidence:
scripts/download_skill.pyusessubprocess.runto invokegitfor cloning and sparse-checkouts. - PROMPT_INJECTION (LOW): The system facilitates Indirect Prompt Injection by design, as it ingests third-party instructions that guide agent behavior.
- Ingestion points: External GitHub repositories via
scripts/download_skill.py. - Boundary markers: Absent; the templates in
assets/templates/do not include delimiters or warnings to ignore embedded instructions in downloaded content. - Capability inventory: The skill has the ability to execute git commands, perform filesystem operations (mkdir, symlink), and write configuration files (
settings.json). - Sanitization: Absent; the code only verifies the existence of a
SKILL.mdfile but does not inspect its contents for malicious instructions or safety violations.
Recommendations
- AI detected serious security threats
Audit Metadata