start-workflow
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes instructions and task definitions from external configuration files.
- Ingestion points: Data is ingested from
.claude/workflows.json,CLAUDE.md, andAGENTS.md(specifically the## Workflow Catalogsection). - Boundary markers: There are no explicit markers or guardrails instructing the agent to ignore potentially malicious instructions embedded within these files.
- Capability inventory: The skill possesses the capability to read and write files, execute local skill commands, and invoke the
spawn_agenttool to delegate tasks to sub-agents. - Sanitization: No sanitization or validation is applied to the strings parsed from configuration files before they are used to populate task trackers or trigger skill sequences.
- [COMMAND_EXECUTION]: The skill dynamically generates and executes local skill commands (e.g.,
/scout,$plan) by parsing identifiers from thesequencearray inworkflows.jsonor the workflow catalog in context. - [SAFE]: The identified behaviors, such as reading project metadata, automating task management, and using sub-agents for code review, are consistent with the skill's stated purpose as a workflow management tool. These actions are restricted to the local environment and do not involve remote code execution or data exfiltration to external domains.
Audit Metadata