sf-flow
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection through its automated documentation generator.
- Ingestion points: The scripts scripts/doc_generator.py and hooks/scripts/validate_flow.py ingest metadata from Salesforce Flow XML files (.flow-meta.xml).
- Boundary markers: The output Markdown templates in assets/flow-documentation-template.md do not utilize delimiters or provide instructions to the agent to ignore instructions embedded in the generated text fields.
- Capability inventory: The skill allows for writing files to the project and interacts with other automation tools via the agent, creating a path for malicious instructions to trigger actions.
- Sanitization: Content extracted from Flow XML tags (such as descriptions or labels) is interpolated directly into generated reports without filtering or escaping.
Audit Metadata