Skills
skills/picahq/cli/one-flow/Gen Agent Trust Hub

one-flow

Warn

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the one CLI tool, requiring the agent to execute system commands to manage connections, discover API actions, and orchestrate workflows.
  • [COMMAND_EXECUTION]: The flow engine supports dynamic execution of JavaScript code via transform and code step types.
  • Evidence: Workflows can include JavaScript expressions in the expression field of transform steps and full function bodies in the source field of code steps, which are evaluated at runtime by the flow engine (SKILL.md).
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it ingests data from external sources and processes it using powerful execution capabilities.
  • Ingestion points: Data enters the agent's context through API responses in action steps and through local file content in file-read steps (SKILL.md).
  • Boundary markers: There are no instructions or built-in mechanisms described to delimit untrusted data or warn the agent about embedded instructions within retrieved data.
  • Capability inventory: The workflow engine includes the ability to execute arbitrary JavaScript (code, transform), write to the filesystem (file-write), and perform network operations (action steps) (SKILL.md).
  • Sanitization: The documentation does not mention sanitization or validation routines for data retrieved from external platforms before it is interpolated into flow logic or filesystem operations.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 18, 2026, 07:46 AM
Security Audit — agent-trust-hub — one-flow