ccx-flow

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes dynamic context injection (!command) to execute shell and Node.js commands immediately upon the skill being loaded or opened by the agent. This includes running git rev-parse to determine the project root and Node.js scripts to generate random tokens and calculate ports.
  • [EXTERNAL_DOWNLOADS]: The skill executes npx @lionad/port-key within a dynamic context at load time. This command may download and execute code from the npm registry without user intervention or prior notification.
  • [CREDENTIALS_UNSAFE]: The skill programmatically accesses the CLAUDE_SESSION_ID environment variable using dynamic context injection (node -e "console.log(process.env.CLAUDE_SESSION_ID || '')") at load time. While used for session management, this pattern exposes internal environment state silently.
  • [PROMPT_INJECTION]: The skill's primary function is to create an injection surface (Category 8: Indirect Prompt Injection). It allows external data to enter the agent's context via an HTTP POST request to a local server (http://127.0.0.1:<port>/inject).
  • Ingestion points: Local HTTP endpoint (/inject) handled by flow-bridge.js (referenced in SKILL.md).
  • Boundary markers: The instructions state that injected text enters as a teammate_message and is understood as natural language, but no explicit sanitization or boundary delimiters are provided to the agent.
  • Capability inventory: The agent is instructed to use TeamCreateTool and AgentTool, and has the ability to manage background processes and file system paths.
  • Sanitization: No specific sanitization or validation of the injected text is described in the instructions to prevent the external process from sending malicious prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 05:31 AM
Security Audit — agent-trust-hub — ccx-flow