workflow-composer
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
BashandTasktools to execute system commands and launch other agent skills as part of the orchestration process. - [REMOTE_CODE_EXECUTION]: The
Workflow Librarysection describes a mechanism (claude workflow install) for fetching and installing workflow definitions from a community registry. If the source of these workflows is untrusted or if the integrity of the downloaded files is not verified, it could lead to the execution of malicious automation logic within the agent's environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its workflow engine. It processes external YAML files and interpolates variables (such as
${inputs.project_path}or${steps.quality-checks.results}) directly into tool calls. - Ingestion points: Workflow definitions are loaded from the
.claude-workflows/directory (SKILL.md). - Boundary markers: The instructions do not specify any delimiters or safety warnings to prevent the agent from following instructions embedded within the interpolated data.
- Capability inventory: The skill has access to
Bash(shell execution),Task(agent spawning), andWrite(file modification), allowing for high-impact actions if a workflow is subverted (SKILL.md). - Sanitization: There is no mention of input validation or escaping for the variables used in the workflow logic.
Audit Metadata