airflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill is designed to manage and store highly sensitive credentials, including API tokens, usernames, and passwords, in
~/.af/config.yaml. Theapi-reference.mdexplicitly notes thataf api connectionsexposes passwords in its output. - [EXTERNAL_DOWNLOADS] (HIGH): All commands use
uvx --from astro-airflow-mcp@latest, which downloads and executes a package from an external repository at runtime. This source is not within the defined Trusted External Sources, posing a supply chain risk. - [PROMPT_INJECTION] (MEDIUM): The script
hooks/airflow-skill-suggester.shuses directive language ("IMPORTANT: Use the...", "Load the skill first") to override the agent's natural processing flow when specific keywords are detected, which matches behavioral override patterns. - [REMOTE_CODE_EXECUTION] (HIGH): Indirect Prompt Injection Surface:
- Ingestion points: The skill reads untrusted external data via
af dags source(source code),af tasks logs(execution logs), andaf config variable(database values). - Boundary markers: None identified in the prompt templates or processing logic.
- Capability inventory: The skill has significant write/execute capabilities including
af runs trigger(executing workflows),af api ... -X POST/DELETE(modifying Airflow state), andaf instance add(modifying local configuration). - Sanitization: There is no evidence of sanitization for data retrieved from Airflow before it is processed by the agent.
- [COMMAND_EXECUTION] (MEDIUM): The skill frequently executes shell commands that include user-supplied arguments (e.g.,
<dag_id>,<run_id>,<task_id>) which could be manipulated if not properly escaped by the underlying tool.
Recommendations
- AI detected serious security threats
Audit Metadata