when-managing-token-budget-use-token-budget-advisor

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute external code using the npx claude-flow@alpha command across multiple phase instructions.
  • Evidence: Found in SKILL.md (Phases 1 and 3) and PROCESS.md (Phases 1, 3, and 5).
  • Risk: Using npx to run unverified packages from a public registry at runtime can lead to remote code execution if the package or its dependencies are compromised.
  • [EXTERNAL_DOWNLOADS]: Fetches and executes the claude-flow package from the public NPM registry at runtime.
  • Evidence: Multiple shell command examples using npx to invoke the tool without pre-installation.
  • [COMMAND_EXECUTION]: Executes shell commands with potential for argument injection when processing user input.
  • Evidence: npx claude-flow@alpha hooks pre-task --description "Planning token budget for [task]" in PROCESS.md.
  • Risk: The skill interpolates the user-provided [task] description directly into a shell command argument. Without explicit instructions for sanitization or escaping shell metacharacters (e.g., ;, &, |), a malicious task description could be crafted to execute arbitrary shell commands.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection through untrusted task descriptions.
  • Ingestion points: The taskDescription variable in SKILL.md used for complexity estimation and phase decomposition.
  • Boundary markers: Absent. There are no delimiters (e.g., XML tags, triple backticks) or specific instructions to the agent to treat the user-provided task description as data rather than instructions.
  • Capability inventory: The agent has access to shell execution (npx), memory storage, and multi-agent coordination capabilities.
  • Sanitization: Absent. The skill logic uses regex for classification but does not validate or sanitize the input content before processing or interpolation into commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:22 AM
Security Audit — agent-trust-hub — when-managing-token-budget-use-token-budget-advisor