flowguard

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes a bundled shell script (scripts/workflow_state_snapshot.sh) to perform repository introspection. Analysis of the script confirms it is restricted to read-only operations, such as checking git status, identifying project types (e.g., Rust, Go, Python), and locating local configuration files.
  • [COMMAND_EXECUTION]: The instructions guide the agent to execute standard development commands for verification (e.g., cargo test, go test, pytest). These are used for validating task completion within the user's project environment.
  • [PROMPT_INJECTION]: The skill is designed to ingest and follow project-specific instructions from AGENTS.md files located within the target repository. This creates a surface for indirect prompt injection.
  • Ingestion points: Instructions in SKILL.md (Startup step 2) and references/state-contract.md (Resume Checklist step 1) explicitly direct the agent to load AGENTS.md files from the project directory.
  • Boundary markers: The skill provides a structured framework (Operating Contract and Preflight Contract) to guide agent behavior, though it lacks specific warnings regarding the potential for untrusted content within project-level markdown files.
  • Capability inventory: The skill enables the agent to perform file modifications and execute bounded autonomous loops, as well as running verification commands via the shell.
  • Sanitization: No automated sanitization or filtering of the content within AGENTS.md is specified.
  • Risk Mitigation: The inherent risk of processing project-level instructions is mitigated by the skill's extensive safety contracts and 'Loop Guards', which require human intervention for high-risk operations like credential access, destructive writes, or deployments.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 11:20 AM
Security Audit — agent-trust-hub — flowguard