codeflow
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/install.shscript executes shell commands includinggit cloneto download the upstream repository andopen,xdg-open, orpowershell.exeto launch the application in a web browser. These are standard operations for the skill's stated purpose of self-hosting the tool.\n- [EXTERNAL_DOWNLOADS]: The skill downloads thecodeflowproject from a public GitHub repository (braedonsaunders/codeflow) during the installation process. Per security rules, downloads from well-known services like GitHub are documented neutrally and do not contribute to verdict escalation.\n- [REMOTE_CODE_EXECUTION]: Thescripts/install.shscript andreferences/features.mdsuggest runningnode --teston the downloaded repository content. This involves executing JavaScript code that is fetched from a remote source, which constitutes a localized execution surface for external code.\n- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection as it processes untrusted data from GitHub repositories, local folders, and PR descriptions to generate architecture maps and summaries.\n - Ingestion points: Untrusted data enters the context from GitHub repositories, local directories, PR URLs, and markdown/Obsidian vaults via the WebFetch tool or local file access.\n
- Boundary markers: The skill instructions do not specify any delimiters or warnings to the agent to ignore embedded instructions within the analyzed codebase content.\n
- Capability inventory: The skill uses
Bashfor installation andWebFetchfor remote data retrieval. The installation script can execute shell commands and launch processes.\n - Sanitization: No explicit sanitization, validation, or filtering of the processed codebase content is documented; the skill relies on the heuristic analysis performed by the upstream tool.
Audit Metadata