workflow-builder
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and executes instructions from workflow files (manifests and step prompts) stored on the local filesystem. If these files are sourced from an untrusted third party, the agent may execute malicious instructions embedded within the steps.
- Ingestion points: In
references/run.md, the orchestrator readscontext.mdand sequential markdown step files from the.somnio/workflows/directory. - Boundary markers: The skill does not utilize delimiters or specific 'ignore' instructions when interpolating external file content into subagent prompts.
- Capability inventory: The subagents are intended to use
Bash,Write, andAgenttools to perform their tasks. - Sanitization: There is no evidence of sanitization or safety validation for the content within the workflow files before they are processed by the subagents.
- [COMMAND_EXECUTION]: The workflow orchestrator dynamically constructs shell commands for subagents to ensure output persistence during task execution.
- Evidence: As described in
references/run.md(Step 6), the orchestrator appends a command mandate to the subagent's prompt, which includes the shell instructionmkdir -p <resolved outputs_dir>. - Risk: The assembly of executable shell commands from variable strings (such as directory paths derived from workflow names) introduces a surface for command injection if those variables contain unvalidated shell metacharacters.
Audit Metadata