Skills
skills/ruvnet/ruflo/migrate-validate/Gen Agent Trust Hub

migrate-validate

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references a CLI tool, @claude-flow/cli, which is downloaded and executed from the npm registry using the npx command.
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to list migration files and execute searches against the migration history using a CLI tool.
  • [PROMPT_INJECTION]: The skill processes untrusted content from database migration files (.up.sql and .down.sql). This creates an attack surface for indirect prompt injection where an attacker could place malicious instructions inside SQL comments or strings to influence the agent's behavior during validation.
  • Ingestion points: Content from SQL files found via Glob and loaded via Read.
  • Boundary markers: None; migration content is parsed directly for validation rules.
  • Capability inventory: Includes Bash, Read, Grep, and several state-management tools (mcp__claude-flow__*).
  • Sanitization: The skill does not explicitly describe any sanitization or escaping of the SQL content before parsing.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 03:17 PM