Flow Designer Scanning
SquireX scans Flow Designer actions (sys_hub_flow, sys_hub_action), subflows, and Now Assist Skill Kit configurations for security vulnerabilities that arise when AI agents invoke workflow automation.
Why Flow Designer Matters for Agent Securityโ
Flow Designer is the primary orchestration mechanism for Now Assist agents. When an AI agent invokes a flow action:
- Parameters are LLM-generated โ inputs pass through the model's context window, enabling injection
- Execution context escalation โ flows can run in system context, bypassing Role Masking
- Subflow chains โ a single agent action can trigger cascading subflows with escalating privileges
Rulesโ
SNOW-5.1 โ Flow Action Without Input Validationโ
Severity: High
Detects sys_hub_action definitions linked to AI agents that accept parameters without type validation.
// โ VULNERABLE โ accepts raw LLM output without validation
(function execute(inputs, outputs) {
var gr = new GlideRecord(inputs.table_name); // Attacker controls table!
gr.addQuery(inputs.field, inputs.value); // Attacker controls query!
gr.query();
outputs.result = gr.next() ? gr.getValue('sys_id') : '';
})(inputs, outputs);
// โ
SECURE โ validates inputs before processing
(function execute(inputs, outputs) {
var allowedTables = ['incident', 'sc_req_item', 'kb_knowledge'];
if (allowedTables.indexOf(inputs.table_name) === -1) {
outputs.error = 'Table not in allowlist';
return;
}
var gr = new GlideRecordSecure(inputs.table_name);
gr.setLimit(50); // Bound results
gr.addQuery(inputs.field, inputs.value);
gr.query();
outputs.result = gr.next() ? gr.getValue('sys_id') : '';
})(inputs, outputs);
SNOW-5.2 โ Flow Running in System Contextโ
Severity: Critical
Detects flows linked to AI agents that execute with system privileges instead of the agent's Dynamic User context.
Remediation: Configure the flow to run as "Current User" and apply Role Masking to the agent's execution identity.
SNOW-12.1 โ Skill Kit Version Driftโ
Severity: High
Detects sys_gen_ai_skill_applicability records with missing ACLs. Skills published without role restrictions are accessible to all agents on the instance.
Remediation: Configure ACLs on the skill applicability record to restrict which roles can invoke the skill.
Decision Table Analysisโ
SquireX also scans sys_decision records referenced by Flow Designer actions:
- Decision tables with unconstrained input ranges
- Tables mapping to privileged operations (e.g., approval bypasses)
- Missing audit trail on decision outcomes
Integration with SNOW Rule Taxonomyโ
| Rule | What It Catches | Related Flow Component |
|---|---|---|
| SNOW-5.1 | Missing input validation | sys_hub_action inputs |
| SNOW-5.2 | System context execution | Flow run-as configuration |
| SNOW-12.1 | Unprotected skill bindings | sys_gen_ai_skill_applicability |
| SNOW-1.1 | Tool without confirmation | sn_aia_tool โ flow action link |
| SNOW-23.1 | Unbounded queries in flows | GlideRecord in flow scripts |