start-workflow

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes instructions and task definitions from external configuration files.
  • Ingestion points: Data is ingested from .claude/workflows.json, CLAUDE.md, and AGENTS.md (specifically the ## Workflow Catalog section).
  • Boundary markers: There are no explicit markers or guardrails instructing the agent to ignore potentially malicious instructions embedded within these files.
  • Capability inventory: The skill possesses the capability to read and write files, execute local skill commands, and invoke the spawn_agent tool to delegate tasks to sub-agents.
  • Sanitization: No sanitization or validation is applied to the strings parsed from configuration files before they are used to populate task trackers or trigger skill sequences.
  • [COMMAND_EXECUTION]: The skill dynamically generates and executes local skill commands (e.g., /scout, $plan) by parsing identifiers from the sequence array in workflows.json or the workflow catalog in context.
  • [SAFE]: The identified behaviors, such as reading project metadata, automating task management, and using sub-agents for code review, are consistent with the skill's stated purpose as a workflow management tool. These actions are restricted to the local environment and do not involve remote code execution or data exfiltration to external domains.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:08 PM
Security Audit — agent-trust-hub — start-workflow