workflow-automation
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill documentation includes an example of an 'aiOrchestrator' that presents a surface for indirect prompt injection.
- Ingestion points: The skill is designed to process external events and webhooks, such as 'task/complex' in the aiOrchestrator example in SKILL.md.
- Boundary markers: The provided example lacks boundary markers or instructions to the model to ignore potential malicious directives within the event data.
- Capability inventory: The skill describes patterns capable of sensitive operations, including payment processing (via Stripe), database interactions (db.query), and the execution of arbitrary child workflows (executeSubtask).
- Sanitization: The code snippet directly interpolates 'event.data.task' into the LLM prompt without any validation or sanitization, potentially allowing an attacker to hijack the workflow logic via a crafted event payload.
Audit Metadata