Back to skill

Security audit

FlowForge Workflow Engine

Security checks across malware telemetry and agentic risk

Overview

FlowForge is a coherent workflow runner, but it can let broad workflow triggers drive external CLI execution, persistent state, and sub-agent actions without strong approval boundaries.

Install only if you trust the external FlowForge npm CLI and will review workflow YAML before running it. Use explicit approval gates for workflows that push code, create PRs, deploy, delete data, post publicly, or use credentials, and treat FlowForge state plus daily logs as retained local records that may contain sensitive task summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The setup guide instructs users to globally install and rely on an external CLI, which expands the skill's effective capabilities beyond static guidance into executable tooling fetched from npm. This increases supply-chain and environment-modification risk, especially for agent-driven setups where users may follow commands without independently validating the package.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide recommends persistent shell configuration changes by writing to ~/.bashrc and altering PATH, which modifies the user's environment beyond the narrow purpose of running a workflow engine. Persistent environment changes can affect later sessions and other tools, and they normalize broad host reconfiguration in a skill setup path.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description is very broad ('step-by-step execution', 'structured workflows', 'follow the workflow'), which can cause the skill to activate for many generic requests rather than only when the user explicitly wants FlowForge. Overbroad activation increases the chance the agent routes normal tasks through an external workflow engine and sub-agent spawning path unnecessarily, expanding attack surface and enabling unintended command execution patterns.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reset instruction includes a destructive deletion command without an explicit warning that all FlowForge state will be lost. In agent or copy-paste driven contexts, destructive commands without confirmation language materially increase the chance of accidental data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.