Skills
skills/rafaelcalleja/claude-market-place/workflow-weaver/Gen Agent Trust Hub

workflow-weaver

Pass

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It records the output of WebFetch, WebSearch, and Read actions into a new SKILL.md file intended for future execution.
  • Ingestion points: Data enters the context via WebFetch (URL content), WebSearch (search results), and Read (local file content) tool calls during the recording session.
  • Boundary markers: The skill template does not specify the use of strict delimiters or instructions to ignore embedded commands within the captured step descriptions or reference materials.
  • Capability inventory: The resulting skill utilizes bash, read, and write tools.
  • Sanitization: The skill validates the skill-name for alphanumeric characters but does not sanitize the actual content captured from tool outputs before writing them to the final skill file.
  • [COMMAND_EXECUTION]: The skill uses the bash tool to manage its directory structure (mkdir -p) and to generate the final skill file (cat > ...). It correctly validates the skill-name variable to prevent command injection through directory names and uses a quoted heredoc (<< 'EOF') to prevent shell expansion of the recorded content.
  • [DATA_EXFILTRATION]: The skill facilitates the exposure of sensitive data by explicitly prompting the user to save the results of Read and WebFetch operations into a local references/ folder. This creates secondary copies of potentially sensitive information (e.g., configuration files, private documentation) in a predictable path within the .claude/skills/ directory.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 12, 2026, 12:04 PM