flow-develop
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes shell and Python scripts, such as
orchestrate.shandsearch.py, by directly interpolating user-provided task descriptions and prompts into command-line arguments. This pattern is vulnerable to command injection if the underlying scripts do not properly sanitize these inputs.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to its synthesis of external and local data.\n - Ingestion points: Data is ingested from user implementation requests, project state files (
.octo/STATE.md), and synthesis output from external providers (Codex, Gemini) stored in~/.claude-octopus/results/.\n - Boundary markers: The workflow does not utilize explicit delimiters or 'ignore' instructions when passing user-provided content to the
orchestrate.shscript or other sub-processes.\n - Capability inventory: The skill has broad capabilities, including executing shell commands, reading/writing files, and orchestrating subagents via
SendMessage.\n - Sanitization: There is no evidence of sanitization or escaping of external content before it is used for command execution or prompt construction.
Audit Metadata