wf-player
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands via the Bash tool to handle 'cli' nodes. While it attempts to escape arguments using an escapeForShell function, the dynamic construction of shell commands from data stored in external JSON templates creates a potential vector for command injection.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its design as a workflow template runner.\n
- Ingestion points: Workflow templates loaded from .workflow/templates/ and context variables provided as CLI arguments.\n
- Boundary markers: Absent. The skill does not use delimiters or explicit instructions to distinguish between template-provided data and agent instructions during prompt interpolation.\n
- Capability inventory: Broad permissions across sensitive tools, including Bash (shell), Agent (sub-agent spawning), and Skill (internal tool execution).\n
- Sanitization: Minimal. Shell escaping is applied to Bash calls, but no sanitization or validation is performed for prompts sent to the Agent tool or arguments passed to other Skill tools.\n- [COMMAND_EXECUTION]: The resolveArgs logic in phases/03-execute.md performs runtime substitution of session state data into command arguments. This allows outputs from one node to influence the execution parameters of subsequent nodes, which could be exploited to chain malicious behavior if a previous node's output is compromised.
Audit Metadata