agentic-workflow
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill contains a Dockerfile example that downloads and executes an installation script from Anthropic's official domain (claude.ai). This is a well-known service, and the operation is documented neutrally as a legitimate setup step.
- [COMMAND_EXECUTION]: The workflow documentation describes the execution of various CLI tools including Git, npm, and Docker for tasks such as automated commits, PR management, and running tests.
- [PROMPT_INJECTION]: The skill describes an indirect prompt injection surface where the agent is instructed to process untrusted data from external sources.
- Ingestion points: The agent reads external Pull Request data via
gh pr checkoutand analyzes local source code using tools likeask-geminiwith the@src/context. - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are provided for these ingestion points.
- Capability inventory: The skill uses Bash, Read, and Write tools to execute shell commands and modify the file system based on its analysis.
- Sanitization: There is no evidence of sanitization or filtering of the content retrieved from external PRs or codebases before processing.
Recommendations
- HIGH: Downloads and executes remote code from: https://claude.ai/install.sh - DO NOT USE without thorough review
Audit Metadata