workflow-enforcement
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill design relies on writing user-provided task descriptions directly into a YAML state file (
workflow_state.yaml). This presents a high-severity schema confusion vulnerability where a malicious task description can inject YAML control characters to override the status of mandatory steps, such as code reviews, effectively bypassing the enforcement logic. Ingestion points: Thetask_descriptionfield in theworkflow_state.yamltemplate. Boundary markers: Absent; the specification provides no delimiters or escaping requirements for user-provided input. Capability inventory: File system write access (workflow_state.yaml) and task list modification (TodoWrite). Sanitization: Absent; no instructions are provided to the agent to validate or sanitize external content before interpolation. - [Data Exposure] (LOW): The skill operates within specific hidden directories in the user's home folder (
~/.amplihack/.claude/). While these paths are part of the intended environment, they represent an attack surface where file manipulation via the identified injection vector could lead to unauthorized access or modification of sensitive tool configurations.
Recommendations
- AI detected serious security threats
Audit Metadata