dex-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill documentation recommends installing a third-party extension via
npx skills add dcramer/dex. The source 'dcramer' is not an approved trusted organization, meaning the downloaded code is unverified and could contain malicious logic. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Data is ingested via
dex plan <file.md>anddex import #123(GitHub Issues). - Boundary markers: None. The instructions do not specify any delimiters to separate task data from instructions.
- Capability inventory: The skill explicitly instructs the agent to parse the task description for a 'Skills:' line and then execute the
/Skill <skill-name>command based on that value. - Sanitization: None. There is no validation or filtering performed on the
<skill-name>string extracted from the external source. - [COMMAND_EXECUTION] (MEDIUM): The skill's markdown header contains active shell execution triggers (
!git branch ...and!dex status ...). While the specific commands listed are for status checking, the use of automated shell execution within the skill definition increases the attack surface for local command injection.
Recommendations
- AI detected serious security threats
Audit Metadata