agentflow
Warn
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The
agentflow.mjsscript accesses the.gemini/antigravity-cli/conversationsdirectory within the user's home folder to read database files and conversation metadata. - [COMMAND_EXECUTION]: The skill executes a local Node.js script and an external CLI tool (
agy) to perform prompt expansion and task dispatching. - [COMMAND_EXECUTION]: The "Post-Execution Validation" step (Step 6) dynamically detects the project tech stack and automatically executes build or test commands (such as
go build,npx tsc, orpytest) based on files present in the workspace. - [PROMPT_INJECTION]: The skill instructs the agent to operate with high autonomy, explicitly stating "No confirmation dialogs" and "No blocking," which bypasses standard user oversight for executed actions.
- [PROMPT_INJECTION]: The sequencer treats Markdown files in the
.agents/workflows/directory as authoritative "ground truth" for its expansion engine, creating a significant indirect prompt injection surface if those files are modified by untrusted sources. - [PROMPT_INJECTION]: The "Prompt Expansion Engine" interpolates raw user instructions and workspace file listings into a powerful, role-playing prompt template that is then re-executed by the agent.
Audit Metadata