cy-workflow-memory
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it explicitly directs the agent to 'Treat these files as mandatory context for the run, not optional notes' (SKILL.md). This creates a risk where malicious instructions embedded in memory files could be followed by the agent.\n
- Ingestion points: Workflow instructions in SKILL.md require reading shared and task-specific memory files.\n
- Boundary markers: Absent. The skill provides no instructions to use delimiters or to ignore embedded commands within the memory content.\n
- Capability inventory: The skill performs file system read and write operations.\n
- Sanitization: Absent. No validation, filtering, or escaping of memory file content is performed.\n- [DATA_EXFILTRATION]: The skill accepts file paths as input ('Workflow memory directory path', 'Shared workflow memory file path') without performing validation or restricting access to specific directories. This could allow a caller to point the agent to sensitive local files (e.g., SSH keys, environment variables) to be read into the agent's context under the guise of workflow memory.
Audit Metadata