Skills
skills/halt-catch-fire/skills/ai-automation-workflows/Gen Agent Trust Hub

ai-automation-workflows

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for Indirect Prompt Injection across multiple workflow patterns:
  • Ingestion points: The skill ingests untrusted data from web search results (via tavily/search-assistant in Pattern 2), user-supplied arguments ($INPUT_TEXT in Pattern 4), and local file contents ($(cat $file) in Data Processing Pipeline).
  • Boundary markers: There are no boundary markers (e.g., XML tags or delimiters) or instructions for the models to ignore embedded directives in the ingested content.
  • Capability inventory: The workflows possess significant capabilities, including executing subprocesses via the belt CLI, writing files to the local system, and making network requests via curl (as seen in the alerting example).
  • Sanitization: No sanitization or validation of the ingested external content is performed before it is interpolated into prompts for models like Claude or Flux.
  • [COMMAND_EXECUTION]: The monitored_workflow.sh example uses a wrapper function that executes arbitrary commands passed as arguments ($@). While designed for logging and alerting, this pattern allows for dynamic command execution.
  • [EXTERNAL_DOWNLOADS]: The skill directs users to fetch installation instructions and additional skills from github.com/inference-sh/skills. These are standard project dependencies and resources related to the inference.sh platform described in the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 02:15 AM
Security Audit — agent-trust-hub — ai-automation-workflows