workflow-migration
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is designed to automatically discover and extract sensitive authentication credentials, including Claude Code OAuth tokens and various service API keys (Notion, GitHub, Slack) found in local configuration files and the shell environment.
- [COMMAND_EXECUTION]: Uses system commands such as
ls,find, andcatto systematically scan the user's local directory structure, specifically targeting~/.claude/skills/, to locate workflow definitions and configuration files. - [DATA_EXFILTRATION]: Programmatically reads the contents of local
.envfiles and environment variables to gather secrets, which are then processed and stored in new configuration files at a different location on the local filesystem. - [PROMPT_INJECTION]: The skill is exposed to indirect prompt injection risks when processing natural language content from external workflow files.
- Ingestion points: Reads natural language descriptions from local
SKILL.mdfiles using thecatcommand. - Boundary markers: There are no explicit delimiters or safety instructions provided to the agent to treat the content of these external files as untrusted data or to ignore potentially malicious embedded instructions.
- Capability inventory: The agent possesses the capability to execute filesystem commands, create directories, and initiate container builds via the
vm0 cookcommand. - Sanitization: No sanitization or validation of the natural language content extracted from the local skill files is performed before it is utilized to generate instructions for the new agent.
Recommendations
- AI detected serious security threats
Audit Metadata