agentflow
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires cloning a repository from an unverified third-party account (UrRhb/agentflow) during the installation process.
- [REMOTE_CODE_EXECUTION]: Following the download, the user is instructed to install and execute shell scripts and AI worker processes directly from the unverified source.
- [COMMAND_EXECUTION]: The skill establishes persistence by requiring the user to configure a crontab entry (
*/15 * * * * ~/.claude/sdlc/agentflow-cron.sh) that executes the orchestrator script every 15 minutes. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external sources (Kanban board comments and SPEC.md) without documented sanitization.
- Ingestion points: Kanban board task comments and SPEC.md file content (SKILL.md).
- Boundary markers: None identified; the skill does not specify the use of delimiters or instructions to ignore embedded commands in ingested data.
- Capability inventory: The skill can execute shell commands including
npm test,tsc,eslint, andgit revert, as well as dispatching autonomous worker agents. - Sanitization: No sanitization, escaping, or validation logic is described for the data processed from the Kanban board or specification files.
Recommendations
- AI detected serious security threats
Audit Metadata