li-workflow
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from the workspace to guide its own logic and document modification actions.
- Ingestion points: Step 1 involves reading
CLAUDE.md,AI能力定义.md, and工作流程.md, which are files that may contain third-party or attacker-influenced content. - Boundary markers: The instructions lack delimiters or explicit directives to treat file content as data rather than instructions, increasing the risk that the agent might obey commands embedded within the documentation it is supposed to analyze.
- Capability inventory: The skill has the capability to modify critical project files (Step 4) using the Edit tool and create new files in the
04-方法论沉淀/directory. - Sanitization: There is no evidence of content sanitization or validation before the agent uses the extracted information to perform file-system operations.
- [COMMAND_EXECUTION]: The skill is designed to automatically execute file modifications and documentation updates based on its internal diagnostics, which could be leveraged to make unauthorized changes if the diagnostic step is compromised via indirect injection.
Audit Metadata