workflow-migration
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the agent to access sensitive file paths and environment variables to facilitate migration.
- Evidence:
- Reads local
.envfiles:cat ~/.claude/skills/{skill-name}/.env - Scans for credentials and secrets:
grep -E '\${?[A-Z_]+\ld}|NOTION_|DATABASE_|API_|TOKEN|SECRET' ~/.claude/skills/{skill-name}/SKILL.md - Accesses environment variables such as
CLAUDE_CODE_OAUTH_TOKENandNOTION_API_KEYvia shell commands. - [COMMAND_EXECUTION]: The skill uses various shell commands to inspect the local filesystem and generate new project files.
- Evidence:
- Filesystem discovery:
ls -la ~/.claude/skills/,find ~/.claude/skills -name "SKILL.md" -type f - Project generation:
mkdir -p,cat > .env << EOF, andvm0 cookto execute the newly created configuration. - [EXTERNAL_DOWNLOADS]: The skill references external resources for configuration and containerization.
- Evidence:
- Fetches skill definitions from the author's official GitHub repository:
https://github.com/vm0-ai/vm0-skills/tree/main/... - Uses standard official base images for Docker:
python:3.11-slim,node:20-slim, andubuntu:22.04. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes external, potentially untrusted skill definitions to generate new agent instructions.
- Ingestion points: Reads
SKILL.mdand.envfrom local skill directories (~/.claude/skills/{skill-name}/). - Boundary markers: Absent; the skill translates content directly into
AGENTS.mdandvm0.yamlwithout explicit delimiters or 'ignore' instructions for the source content. - Capability inventory: Full shell access, local file modification, and cloud deployment via the
vm0CLI. - Sanitization: No explicit sanitization or validation of the input skill content is performed before generating new instructions.
Audit Metadata