workflow-creator
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The 'main.cjs' script and the lifecycle hooks ('pre-execute.cjs', 'post-execute.cjs') perform direct file system operations to modify project configuration files such as 'CLAUDE.md' and routing tables, as well as managing a local state file.
- [PROMPT_INJECTION]: The skill mandates the use of external research (via Exa and arXiv) to inform the generation of sub-agent prompts. This creates a surface for indirect prompt injection as follows: 1. Ingestion points: 'WebSearch' (Exa) and 'WebFetch' (arXiv) calls in SKILL.md. 2. Boundary markers: Absent in workflow prompt templates. 3. Capability inventory: 'Bash', 'Write', and 'Task' (agent spawning) capabilities across workflows. 4. Sanitization: No sanitization of external research content before interpolation into prompts.
- [REMOTE_CODE_EXECUTION]: The skill generates workflow files containing 'Task()' definitions which are interpreted and executed by the system's orchestration layer to spawn sub-agents with specific toolsets.
Audit Metadata