Skills
skills/winsorllc/upgraded-carnival/workflow-markdown/Gen Agent Trust Hub

workflow-markdown

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The executeShellStep function in lib/executor.js passes code strings directly to child_process.exec. These strings are modified by the substituteVariables function in lib/parser.js using a simple regex replacement of user-provided values. An attacker can inject arbitrary shell commands (e.g., using ;, &&, or |) through these variables, as no escaping or validation is performed.
  • [REMOTE_CODE_EXECUTION]: The skill dynamically generates and executes JavaScript and Python scripts in executeJavaScriptStep and executePythonStep within lib/executor.js. Any variable interpolation within these blocks allows for arbitrary code injection into the runtime environment, as the code is written to a temporary file and executed via the system's node or python3 interpreter.
  • [DATA_EXFILTRATION]: The unrestricted command execution capability allows the skill to read any file the agent has access to, such as ~/.ssh/id_rsa or .env files, and transmit them to external servers via shell commands like curl or wget. The example workflows in SKILL.md explicitly demonstrate the use of curl with variable substitution.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection.
  • Ingestion points: Workflow files are discovered and read from local project directories such as .agent/workflows/ in lib/workflows.js.
  • Boundary markers: The system lacks any markers or "ignore embedded instructions" warnings, meaning the agent will treat all content in discovered markdown files as authoritative commands.
  • Capability inventory: The skill exposes a powerful suite of capabilities including arbitrary shell execution, file system modification, and runtime code execution across multiple languages.
  • Sanitization: There is no sanitization, escaping, or validation of either the markdown content or the variables interpolated into executable blocks.
  • [DECEPTIVE_CLAIMS]: The SKILL.md documentation contains false security claims, stating that "Shell commands are validated before execution" and "Dangerous patterns flagged for review". A technical audit of the source code confirms that no such validation or filtering logic exists, which could lead a user to misjudge the skill's safety profile.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 05:12 AM