flowguard
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a bundled shell script (
scripts/workflow_state_snapshot.sh) to perform repository introspection. Analysis of the script confirms it is restricted to read-only operations, such as checking git status, identifying project types (e.g., Rust, Go, Python), and locating local configuration files. - [COMMAND_EXECUTION]: The instructions guide the agent to execute standard development commands for verification (e.g.,
cargo test,go test,pytest). These are used for validating task completion within the user's project environment. - [PROMPT_INJECTION]: The skill is designed to ingest and follow project-specific instructions from
AGENTS.mdfiles located within the target repository. This creates a surface for indirect prompt injection. - Ingestion points: Instructions in
SKILL.md(Startup step 2) andreferences/state-contract.md(Resume Checklist step 1) explicitly direct the agent to loadAGENTS.mdfiles from the project directory. - Boundary markers: The skill provides a structured framework (Operating Contract and Preflight Contract) to guide agent behavior, though it lacks specific warnings regarding the potential for untrusted content within project-level markdown files.
- Capability inventory: The skill enables the agent to perform file modifications and execute bounded autonomous loops, as well as running verification commands via the shell.
- Sanitization: No automated sanitization or filtering of the content within
AGENTS.mdis specified. - Risk Mitigation: The inherent risk of processing project-level instructions is mitigated by the skill's extensive safety contracts and 'Loop Guards', which require human intervention for high-risk operations like credential access, destructive writes, or deployments.
Audit Metadata