demo
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is instructed to explore the project codebase for sensitive configuration files, specifically listing
.env,.env.local, andsupabase/config.toml. Accessing these files to 'discover URLs, API endpoints, and email services' exposes potentially sensitive environment variables and authentication secrets to the agent's context. - [COMMAND_EXECUTION]: The skill uses the Bash tool to install external packages (
npm install skill-demoflow) and browser binaries (npx playwright install chromium) required for the automation environment. - [REMOTE_CODE_EXECUTION]: The skill creates and executes a TypeScript script (
scripts/demo-run.ts) usingnpx tsx. This script is dynamically generated based on natural language scenario descriptions and project-specific UI patterns, allowing information from the local environment to directly dictate the logic of executed code. - [PROMPT_INJECTION]: The skill creates a significant surface for indirect prompt injection by reading external scenario files and project source code (routes, pages, and interactive components) to inform its code generation process.
- Ingestion points: Reads from
.demoflow/scenarios/*.md, project source files (app/,pages/), and local environment templates (.env.example). - Boundary markers: No boundary markers or 'ignore' instructions are used when processing these files.
- Capability inventory: Includes file writing (
Write), shell execution (Bash), and the ability to perform browser-based network operations through the generated Playwright scripts. - Sanitization: There is no evidence of sanitization or validation of the content extracted from the local filesystem before it is interpolated into the generated executable script.
Recommendations
- AI detected serious security threats
Audit Metadata