taskflow
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The illustrative examples in examples/inbox-triage.lobster and examples/pr-intake.lobster define workflows that process external content (Gmail messages and GitHub PR data) using an LLM tool. This architectural pattern represents an indirect prompt injection surface.
- Ingestion points: Data enters the agent context via gog.gmail.search and gh pr list.
- Boundary markers: The LLM prompts do not demonstrate use of delimiters or warnings to ignore embedded instructions.
- Capability inventory: Workflows include capabilities to notify users (Telegram/Slack) and modify PR status based on classification of untrusted data.
- Sanitization: The examples do not show sanitization of external content before processing.
Audit Metadata