workflow
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Dynamically executes multi-step workflows by orchestrating Model Context Protocol (MCP) tools defined in local markdown files. The skill parses
.workflow.mdfiles and sequentially triggers tools such asenrich_company,find_person, andgenerate_emailbased on the workflow configuration. - [PROMPT_INJECTION]: Ingests data from external sources via research tools and processes it within the workflow, creating a surface for indirect prompt injection. * Ingestion points: Data returned by research tools like
enrich_companyandfind_personor user-defined variables. * Boundary markers: No explicit markers are defined in the instructions to separate untrusted research data from subsequent processing logic. * Capability inventory: Extensive capabilities including file system access, dynamic tool invocation, and network delivery via MCP. * Sanitization: No explicit sanitization or validation of data retrieved from external research tools is specified before it is interpolated into prompts. - [DATA_EXFILTRATION]: Provides functionality to deliver workflow results to external services like Salesforce, HubSpot, Notion, and Slack. It implements a 'Deliver to tools' phase that identifies connected MCP servers and pushes workflow outputs to these cloud-based GTM and productivity platforms.
- [COMMAND_EXECUTION]: Reads from and writes to the local file system to manage workflow definitions. It accesses the plugin's internal
workflows/directory and the user's home directory at~/.octave/workflows/to discover, show, and create workflow files.
Audit Metadata