clawflow
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The workflow examples for inbox triage and PR intake use an LLM to classify content fetched from external, attacker-controllable sources. An attacker could embed instructions in an email or a GitHub pull request to manipulate the classification outcome and influence subsequent automated actions.
- Ingestion points: The
fetchsteps inexamples/inbox-triage.lobster(usinggog.gmail.search) andexamples/pr-intake.lobster(usinggh pr list). - Boundary markers: Absent in the classification prompts used in both examples.
- Capability inventory: The workflow can execute actions such as routing messages to Slack/Telegram (
examples/inbox-triage.lobster) and closing or modifying GitHub PRs (examples/pr-intake.lobster). - Sanitization: No sanitization, filtering, or validation is performed on the data before it is passed to the classification tool.
- [COMMAND_EXECUTION]: The skill relies on executing various external command-line tools and scripts (e.g.,
gh,gog.gmail.search,slack-route,pr-close-low-signal) to perform its primary functions. - [DATA_EXFILTRATION]: The skill is designed to move data from private environments (Gmail, GitHub) to external communication and management tools (Slack, Telegram), which constitutes the movement of sensitive information according to the defined logic.
Audit Metadata