flow-cli
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to manage and execute shell commands via workflow hooks (afterCreate, beforeRun, afterRun, beforeRemove), gates, and actions. This is the central functionality of the Flow CLI and is clearly documented as the intended purpose.
- Evidence: Found in 'references/docs/workflow-authoring/workspaces-hooks-stages-and-actions.md'.
- [EXTERNAL_DOWNLOADS]: Documentation guides users to install the CLI and related dependencies from the official vendor organization registry.
- Evidence: 'references/docs/cli/quickstart.md' references installation via 'npm install -g @workbench-ai/flow-cli' from the GitHub Packages registry.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes untrusted data from external sources that can influence both model prompts and shell command execution.
- Ingestion points: External data enters the context through webhook triggers, cron payloads, and Linear issue polling (as documented in 'references/docs/workflow-authoring/triggers-sources-and-inputs.md').
- Boundary markers: The skill uses Handlebars templates (e.g., '{{ trigger.payload.message }}') for variable interpolation.
- Capability inventory: The skill has the capability to execute shell commands in various lifecycle stages (documented in 'references/docs/workflow-authoring/workspaces-hooks-stages-and-actions.md').
- Sanitization: While some provided examples use secure shell patterns like quoted heredocs ('<<'EOF'') to prevent expansion, the skill lacks explicit global sanitization for all external inputs before they are interpolated into executable contexts.
Audit Metadata