when-analyzing-user-intent-use-intent-analyzer

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: Step 1.1 in Phase 1 of the SKILL.md instructions captures the entire process.env object into a memory variable. System environment variables frequently contain high-value secrets such as API keys, authentication tokens, and database credentials, posing a high risk of sensitive data exposure.
  • [DATA_EXFILTRATION]: The skill performs broad environment reconnaissance, including capturing the full working directory path via process.cwd() and conducting filesystem analysis and edit history tracking (analyzeFileSystem, getRecentEdits) without clear scoping or user-defined limits.
  • [COMMAND_EXECUTION]: The skill uses npx claude-flow@alpha agent-spawn to dynamically create sub-agents (researcher, analyst, planner) whose tasks are generated directly from user-provided input. This architecture allows potentially malicious user instructions to influence the execution and logic of secondary agent processes.
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes unvalidated user requests through an autonomous decomposition and planning chain.
  • Ingestion points: Untrusted user input is captured in Phase 1 of SKILL.md and README.md.
  • Boundary markers: There are no explicit delimiters or boundary markers used when the user request is passed to the researcher agent for decomposition.
  • Capability inventory: The skill can spawn new agent processes, write files to the /tmp directory, and store/retrieve data from a persistent memory system.
  • Sanitization: No sanitization, escaping, or validation of the user request is implemented before the content is used to define sub-agent tasks in Step 2.1.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:21 AM
Security Audit — agent-trust-hub — when-analyzing-user-intent-use-intent-analyzer