when-creating-slash-commands-use-slash-command-encoder

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to fetch the claude-flow@alpha package from the NPM registry during multiple workflow phases (e.g., Phase 1: Design Command Interface, Phase 5: Deploy Command).
  • [REMOTE_CODE_EXECUTION]: Executing code from an unverified NPM package via npx allows for the execution of remote code on the host machine. The skill also facilitates the generation and deployment of custom Javascript code as command handlers.
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands to build and install software, including a global installation step (npx claude-flow@alpha command install --from dist/commands.bundle.js --global) and modifying shell completion directories (~/.bash_completion.d/).
  • [PROMPT_INJECTION]: The command handler templates (e.g., in SKILL.md) are vulnerable to indirect prompt injection. Ingestion points: User-provided parameters (e.g., path) in commands/analyze-handler.js. Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the prompt templates. Capability inventory: The handler can execute agent logic via this.routeToAgent (mapped to claudeFlow.agent.execute). Sanitization: There is no sanitization or escaping of the user-provided path variable before it is passed to the agent execution logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:22 AM
Security Audit — agent-trust-hub — when-creating-slash-commands-use-slash-command-encoder