Skills
skills/astronomer/agents/airflow-hitl/Gen Agent Trust Hub

airflow-hitl

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes uvx to execute the af utility from the astro-airflow-mcp package, which is a resource provided by the authoring organization for Airflow metadata discovery.
  • [COMMAND_EXECUTION]: Shell commands are used to invoke the af tool to inspect Airflow configurations, provider versions, and API specifications directly from the environment.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating potentially untrusted data from Airflow XComs and external API inputs into Jinja-templated Markdown bodies.
  • Ingestion points: Untrusted data enters the context via ti.xcom_pull in SKILL.md (Step 4) and through params_input in the external response example (Step 5).
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided templates.
  • Capability inventory: The skill manages task branching via HITLBranchOperator and facilitates network requests to Airflow endpoints using the requests library.
  • Sanitization: There is no evidence of specific sanitization or escaping of the interpolated data before it is rendered or processed.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 01:43 PM