Skills
skills/ricable/cli-skills-builder/Claude Flow CLI/Gen Agent Trust Hub

Claude Flow CLI

Fail

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The instructions mandate the use of npx @claude-flow/cli@latest for all operations. This pattern fetches and executes code directly from the NPM registry at runtime. Using the @latest tag ensures the tool always runs the most recent version, making the environment highly vulnerable to supply chain attacks if the package or the developer's account is compromised.\n- [EXTERNAL_DOWNLOADS]: The skill requires downloading the @claude-flow/cli package from the public NPM registry, which is an external and untrusted source relative to the core agent platform.\n- [COMMAND_EXECUTION]: The skill is primarily a collection of shell commands designed to manage agents, swarms, and memory. These commands allow for significant control over the host environment, including spawning new processes and modifying system state.\n- [PROMPT_INJECTION]: The skill uses the name 'Claude Flow', which leverages the brand of a well-known AI model (Claude). Given that the author is 'ricable', this use of branding is potentially deceptive and constitutes metadata poisoning, as it may mislead users or agents into assuming the tool is an official Anthropic product.\n- [DATA_EXFILTRATION]: The presence of commands like memory export --file <path> and session export --file <path> allows for the extraction of internal agent state and memory to external files. If directed by a malicious prompt, these tools could be used to harvest and exfiltrate sensitive data from the agent's context.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted data during task creation and memory storage.\n
  • Ingestion points: task create --name <name>, memory store --value <value>, and swarm configuration inputs in SKILL.md.\n
  • Boundary markers: None are defined in the instructions to separate untrusted data from system commands.\n
  • Capability inventory: The skill has extensive capabilities including shell command execution (npx), file writing (export), and agent spawning across all described commands.\n
  • Sanitization: No sanitization or validation of the input data is described or implemented in the instructions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 10, 2026, 11:29 PM
Security Audit — agent-trust-hub — Claude Flow CLI