antfarm-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Persistence (HIGH): The skill documentation explicitly describes the use of cron jobs (
antfarm/<workflow-id>/<agent-id>) to trigger agent tasks every 15 minutes. This creates a mechanism for code to execute repeatedly and persist across user sessions without direct intervention. - Command Execution (MEDIUM): The skill relies on executing a local JavaScript file located at
~/.openclaw/workspace/antfarm/dist/cli/cli.js. While targeted at a specific workspace, it allows for arbitrary command execution under the context of the running agent. - Indirect Prompt Injection (LOW):
- Ingestion points: The
workflow runcommand accepts a "detailed task with acceptance criteria" directly from the user via the command line. - Boundary markers: Absent. The skill instructions emphasize that the task string is the "contract," which may lead agents to follow instructions embedded within the user-provided text without verification.
- Capability inventory: The specialized agents (planner, developer, tester, etc.) are capable of feature development, bug fixing, and security audits, which typically involve file system modification, command execution, and network operations (e.g., creating Pull Requests).
- Sanitization: No sanitization or escaping of the user-provided task string is performed before it is passed to the autonomous agents.
Recommendations
- AI detected serious security threats
Audit Metadata