building-workflows
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external, untrusted data (events, person properties, and group data) as part of its primary function. This data is interpolated into workflow configurations and email/SMS templates using a templating syntax (e.g.,
{person.properties.email}). - Ingestion points: Untrusted data enters the agent context via tool outputs (e.g.,
workflows-get-invocation) and is provided as input for testing (e.g.,workflows-test-runusing theglobalsargument). - Boundary markers: The instructions guide the agent to use specific JSON structures and tool schemas, though no explicit "ignore embedded instructions" warnings for the processed data are mandated within the templates themselves.
- Capability inventory: The skill possesses the capability to perform network side effects (sending emails/SMS via
function_email/function_sms) and modify application state (creating and enabling workflows viaworkflows-createandworkflows-enable). - Sanitization: The skill relies on the PostHog platform's server-side compilation of filters and templates; the agent is instructed to omit
bytecodeand provide human-readable properties instead.
Audit Metadata