wf-player

SUSPICIOUS: The skill’s orchestration behavior mostly matches its stated purpose, but its footprint is broad for a workflow runner: wildcard tools, dynamic Skill/Agent/Bash dispatch, and template-driven execution create meaningful risk. The `ccw` dependency appears same-project and publicly documented rather than obviously malicious, so the main concern is overbroad execution and transitive trust, not confirmed credential theft or malware.

This specification is not inherently malicious. However, it contains potentially dangerous implementation patterns: unescaped interpolation of resolved arguments into shell commands (command injection risk), persistence of possibly sensitive session and node outputs to disk without stated protections, and reliance on external executors and callbacks which require secure authentication and input validation. If implemented without proper escaping, validation, and secure storage, the system could be abused for command execution or data exposure. Recommend implementing strong escaping for shell invocation (avoid single-string shells; use argument arrays or proper escaping), validate and sanitize resolved arguments before use, encrypt or restrict access to persisted session/checkpoint files, and require authentication/verification for agent callbacks and external executor interactions.