agentic-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The workflow creates a chain where sub-agents consume untrusted data from previous stages. 1. Ingestion points: Prompts in agents (e.g., plan-agent, implement-agent) read files from .claude/cache/agents/. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when reading these files. 3. Capability inventory: Agents have the ability to run shell commands (tests) and spawn further tasks via the Task tool. 4. Sanitization: No validation is performed on the content of the cache files before they are read by subsequent agents.
- [Dynamic Execution] (LOW): The implementation stage involves generating and running code. The agentica-agent is prompted to write tests and implement code, then 'Run tests to verify'. While this is the primary purpose of the implementation stage, it represents an execution risk if the input plan or research has been compromised via indirect injection.
Audit Metadata