yao-geoflow-cli

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell commands including bin/geoflow, php, and docker compose to interact with the GEOFlow system. Additionally, the scripts/geoflow_preflight.sh script generates and executes dynamic Python code via heredocs to perform JSON validation and text excerpting.\n- [DATA_EXFILTRATION]: The skill uses curl to transmit data, including task configurations and article content, to a user-configured GEOFLOW_BASE_URL. While this is functional, it involves sending local data to a remote endpoint.\n- [CREDENTIALS_UNSAFE]: The skill manages sensitive authentication data such as GEOFLOW_API_TOKEN and user passwords. Although the documentation provides guidance to avoid exposing these tokens in summaries, they are actively handled within the environment and local configuration files.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted local data from files like task.json and article.md.\n
  • Ingestion points: task.json and article.md (specified in SKILL.md and references/command-map.md).\n
  • Boundary markers: Absent; the skill does not wrap file content in delimiters or include instructions to ignore embedded commands.\n
  • Capability inventory: The agent can execute shell commands (bin/geoflow, php) and perform network operations (curl).\n
  • Sanitization: No sanitization or validation of the file content is performed before it is passed to commands or API requests.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 09:22 AM
Security Audit — agent-trust-hub — yao-geoflow-cli