The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill provides example workflows that access sensitive local file paths containing credentials.\n
Evidence: In examples/workflows/claude-profile-triage.yaml, the harness.auth.path is set to /Users/alice/.config/claude-workflow-profile to retrieve authentication data.\n- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of external packages and dependencies at runtime.\n
Evidence: The codex-review-loop.yaml example includes a before_run hook that executes npm install. Additionally, references/commands.md provides instructions for installing the vendor's CLI via npm install -g @workbench-ai/workbench and npx.\n- [COMMAND_EXECUTION]: The workflow engine is designed to execute arbitrary shell commands across various lifecycle hooks and actions.\n
Evidence: Files like examples/workflows/codex-review-loop.yaml and examples/workflows/webhook-claude-gated.yaml contain shell scripts in hooks, gate, and actions blocks (e.g., npm test, git clone, ./scripts/request-changes.sh).\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to the way it handles untrusted external data.\n
Ingestion points: Data enters the system via triggers.webhook (in codex-review-loop.yaml and webhook-claude-gated.yaml) and triggers.manual (in interactive-conversation.yaml).\n
Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions are present in the provided templates.\n
Capability inventory: The system can execute shell commands via hooks/actions and provides the AI harness with tools like Bash, Edit, Read, and Write (as seen in claude-profile-triage.yaml).\n
Sanitization: There is no evidence of sanitization or escaping for the interpolated payload data (e.g., {{ trigger.payload.message }}).

workbench-cli