workflow-creator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core function of reading and processing external data from the project environment.
- Ingestion points: The skill reads
squads/TEAM.md,squads/PIPELINE.md, and the contents of the.agent/workflows/directory. - Boundary markers: Absent. The instructions do not specify delimiters or provide the agent with warnings to ignore embedded instructions within the files it reads.
- Capability inventory: The skill has the ability to write new files to
.agent/workflows/which containbashcode blocks and// turbo-allannotations for autonomous execution. - Sanitization: Absent. Data from the ingested files is used directly to inform the 'Design Proposal' and the final workflow file generation.
- [COMMAND_EXECUTION] (LOW): The skill uses
ls .agent/workflows/to identify existing workflows. This is a standard discovery operation with low risk. - [REMEDIATION]: The skill correctly implements a 'Human-in-the-loop' pattern by requiring the agent to use
notify_userto get approval for a design proposal before writing to the filesystem. To further improve security, input from project files should be treated as untrusted data and wrapped in boundary markers during the design phase.
Audit Metadata