workflow-markdown

This workflow execution skill provides powerful, legitimate capabilities (parsing and executing code blocks from markdown). However, those capabilities are a large attack surface: arbitrary shell/JS/Python execution, variable substitution into commands, execution of hook scripts, and network-capable steps. If workflows or variables originate from untrusted sources, this system can be used for command injection, remote code execution, credential exfiltration, and supply-chain compromise (through npm installs or external CLIs). The overall design requires strict, enforced sandboxing, input validation/escaping of variables, whitelists for allowed commands, and cautious handling of discovered workflow file locations to be safe. Without those enforced controls, treat this skill as a moderate-to-high security risk for use in environments with untrusted contributors or public workflows.

This code enables execution of untrusted, user-provided code across shell, JavaScript, and Python contexts without sandboxing or strong input validation. While functional for controlled workflows, it presents significant security risks in environments where workflow definitions come from untrusted origins. Recommended mitigations include implementing sandboxed execution (containers or restricted runtimes), strict input validation and least-privilege permissions, resource quotas per step, explicit data redaction policies for stdout/stderr, and audit logging with access controls. With these mitigations, the overall risk can be reduced; without them, the capability remains high-risk for production use.