run-athena-flow
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection. It is designed to ingest and process untrusted data from external websites (via semantic browser snapshots) and local codebases to drive automated tasks like test generation.\n
- Ingestion points: External web pages explored via the
agent-web-interfaceMCP and local project files accessed via standard file tools (SKILL.md, references/recipes/e2e-testing.md).\n - Boundary markers: The provided documentation does not specify explicit delimiters or instruction-isolation warnings for untrusted content processing in the workflow definitions.\n
- Capability inventory: High-privilege tools including
Bash(shell execution),Write/Edit(filesystem access), and various MCP-provided automation tools (references/concepts/hooks-and-permissions.md).\n - Sanitization: No specific sanitization or escaping of external content before interpolation is mentioned in the prompt construction logic.\n- [EXTERNAL_DOWNLOADS]: The skill's marketplace feature (
athena workflow install) clones and installs agent configurations, prompts, and plugins from the vendor's GitHub repositories (e.g.,github.com/lespaceman/*). This is a core feature for distributing workflows (references/workflows/marketplace.md).\n- [COMMAND_EXECUTION]: The tool enables the underlying agent harness to execute arbitrary shell commands and modify the filesystem. These capabilities are essential for its workflow orchestration purpose and are managed through user-selectable isolation presets (strict,minimal,permissive) that restrict tool availability (references/concepts/isolation-presets.md).
Audit Metadata