ccx-flow
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes dynamic context injection (
!command) to execute shell and Node.js commands immediately upon the skill being loaded or opened by the agent. This includes runninggit rev-parseto determine the project root and Node.js scripts to generate random tokens and calculate ports. - [EXTERNAL_DOWNLOADS]: The skill executes
npx @lionad/port-keywithin a dynamic context at load time. This command may download and execute code from the npm registry without user intervention or prior notification. - [CREDENTIALS_UNSAFE]: The skill programmatically accesses the
CLAUDE_SESSION_IDenvironment variable using dynamic context injection (node -e "console.log(process.env.CLAUDE_SESSION_ID || '')") at load time. While used for session management, this pattern exposes internal environment state silently. - [PROMPT_INJECTION]: The skill's primary function is to create an injection surface (Category 8: Indirect Prompt Injection). It allows external data to enter the agent's context via an HTTP POST request to a local server (
http://127.0.0.1:<port>/inject). - Ingestion points: Local HTTP endpoint (
/inject) handled byflow-bridge.js(referenced in SKILL.md). - Boundary markers: The instructions state that injected text enters as a
teammate_messageand is understood as natural language, but no explicit sanitization or boundary delimiters are provided to the agent. - Capability inventory: The agent is instructed to use
TeamCreateToolandAgentTool, and has the ability to manage background processes and file system paths. - Sanitization: No specific sanitization or validation of the injected text is described in the instructions to prevent the external process from sending malicious prompts.
Audit Metadata