workflow-composer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill transforms arbitrary user descriptions into executable artifacts. 1. Ingestion Points: User-provided process descriptions in Phase 1 Discovery and Phase 2 Step Extraction. 2. Boundary Markers: Absent; user input is interpolated without delimiters or 'ignore' warnings. 3. Capability Inventory: Generates .sh scripts, .yml GitHub Actions, and agent hooks (PostToolUse, PreToolUse) which trigger automated execution. 4. Sanitization: Absent; input is directly placed into executable templates and instruction sets.
- [Persistence Mechanisms] (HIGH): Generates persistent automation via GitHub Actions and agent hooks that remain active across sessions, creating a long-term vector for malicious code execution if the generation is poisoned.
- [Privilege Escalation] (MEDIUM): Explicitly instructs users to apply 'chmod +x' to generated shell scripts and modify sensitive configuration directories such as .claude/hooks/.
- [External Downloads] (MEDIUM): Recommends the use of 'npx vibery install' for hooks from an unverifiable source, which may execute arbitrary remote code during the installation process.
Recommendations
- AI detected serious security threats
Audit Metadata