workflow-builder
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill reads content from markdown files in .somnio/workflows/ and interpolates it directly into prompts for sub-agents, creating a surface for indirect prompt injection.
- Ingestion points: reads workflow step instructions and context manifests from the project or global .somnio/workflows directory (referenced in SKILL.md, plan.md, and run.md).
- Boundary markers: no delimiters or specific instructions are used to separate untrusted file content from the orchestrator's instructions.
- Capability inventory: the skill and its sub-agents have access to Bash, Agent, and WebFetch tools.
- Sanitization: no validation or filtering is performed on the content of the workflow markdown files before they are sent to the sub-agent.
- [COMMAND_EXECUTION]: The workflow runner instructions in run.md direct the agent to dynamically construct shell commands (e.g., mkdir -p) based on resolved file paths and append them to sub-agent prompts for automated file system management.
Audit Metadata