workflows-work
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill facilitates the capture of UI screenshots and their subsequent upload to public, anonymous image hosting services such as Pixhost, Catbox, Imagebin, or Beeimg via the
imgupskill. This process can lead to the public exposure of sensitive internal application data, proprietary designs, or unintentional leakage of information visible on the screen. - [COMMAND_EXECUTION]: The workflow performs a variety of local shell operations, including Git commands and the execution of project-specific test suites (e.g.,
npm test,pytest,bin/rails test). These operations are necessary for development but provide a vector for arbitrary code execution if the local repository or its build configurations are compromised. - [PROMPT_INJECTION]: The skill processes external work plans and specifications as its primary input (
#$ARGUMENTS), making it vulnerable to indirect prompt injection. A maliciously crafted input document could attempt to override agent instructions or trigger unauthorized actions. - Ingestion points: The input work document passed as an argument to the command.
- Boundary markers: Input content is delimited by
<input_document>XML-style tags. - Capability inventory: File system access (reading/writing files), local shell execution, and network communication (Git, GitHub, and image hosting services).
- Sanitization: The skill relies on a manual 'Clarify' step where the agent is instructed to ask the user questions and get approval before proceeding, but it lacks programmatic sanitization of the input content.
- [EXTERNAL_DOWNLOADS]: The skill uses the GitHub CLI (
gh) and Git to interact with remote repositories, which involves downloading code and metadata from external sources.
Audit Metadata