workflow-automator
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill takes a complete description of a manual business workflow from the user as its primary input.
- Boundary markers: The instructions do not specify any delimiters or safety markers (e.g., XML tags or clear separators) to distinguish user-provided data from system instructions.
- Capability inventory: The skill is configured with powerful tools including
Bash,Write,WebFetch, andRead. - Sanitization: No explicit sanitization, validation, or filtering of the user-provided workflow description is mentioned before the agent processes it.
- [COMMAND_EXECUTION]: The skill requests access to the
Bashtool. While no malicious scripts are included in the skill definition, providing a shell-execution capability to an agent that processes untrusted natural language input increases the risk of command injection if the agent is tricked into executing instructions embedded within the workflow description. - [DATA_EXFILTRATION]: The inclusion of
WebFetchandWebSearchalongsideReadandBashcreates a potential data exfiltration vector. A malicious user input could attempt to influence the agent to read local files or environment variables and transmit them to an external endpoint using the web tools.
Audit Metadata