workflow-updater
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes dynamically generated scripts using
node -ein Step 6 ofSKILL.md. This process involves interpolating${AGENT_NAME}(sourced from the workflow being updated) directly into the script, which may lead to command injection if the input workflow contains malicious naming patterns. - [COMMAND_EXECUTION]: Performs dynamic loading of a local library using
require('.claude/lib/creators/companion-check.cjs')in Step 3. While this is a local path, the use of dynamic execution for logic validation is a notable behavior. - [EXTERNAL_DOWNLOADS]: Fetches research data from
arxiv.organd performs web searches via theExaplatform. These are well-known research services used to align workflows with current industry standards. - [DATA_EXFILTRATION]: Accesses internal configuration and metadata files, such as
agent-registry.json,skill-catalog.md, and project memory files (learnings.md,decisions.md,issues.md). This access is legitimate for the skill's purpose of ecosystem alignment but represents a data exposure surface. - [PROMPT_INJECTION]: The skill ingests untrusted data from external research, creating an indirect prompt injection surface.
- Ingestion points: External content is retrieved via
WebFetch(targetingarxiv.org) andWebSearch(viaExa) in Step 2 ofSKILL.md. - Boundary markers: Includes a mandatory 'Security Review Gate' that checks for tool invocations and instruction-like patterns in fetched prose.
- Capability inventory: The skill utilizes high-privilege tools including
Bash,Write,Edit,WebFetch, andSkillexecution. - Sanitization: Implements specific scans for size, binary content, tool usage, and prompt injection markers before utilizing external data.
Audit Metadata