agentflow

Warn

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The agentflow.mjs script accesses the .gemini/antigravity-cli/conversations directory within the user's home folder to read database files and conversation metadata.
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script and an external CLI tool (agy) to perform prompt expansion and task dispatching.
  • [COMMAND_EXECUTION]: The "Post-Execution Validation" step (Step 6) dynamically detects the project tech stack and automatically executes build or test commands (such as go build, npx tsc, or pytest) based on files present in the workspace.
  • [PROMPT_INJECTION]: The skill instructs the agent to operate with high autonomy, explicitly stating "No confirmation dialogs" and "No blocking," which bypasses standard user oversight for executed actions.
  • [PROMPT_INJECTION]: The sequencer treats Markdown files in the .agents/workflows/ directory as authoritative "ground truth" for its expansion engine, creating a significant indirect prompt injection surface if those files are modified by untrusted sources.
  • [PROMPT_INJECTION]: The "Prompt Expansion Engine" interpolates raw user instructions and workspace file listings into a powerful, role-playing prompt template that is then re-executed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 1, 2026, 04:40 PM
Security Audit — agent-trust-hub — agentflow