multi-agent-creator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMNO_CODEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [NO_CODE] (INFO): The skill consists entirely of Markdown documentation and contains no executable scripts (Python, JS, Bash). The primary risks are architectural rather than immediate malicious code execution.
- [PROMPT_INJECTION] (MEDIUM): This skill defines an orchestration pattern that is vulnerable to Indirect Prompt Injection (Category 8). \n
- Ingestion points: User input for business processes and 'multiple sources' identified in Step 1 of SKILL.md. \n
- Boundary markers: Absent; the skill does not specify delimiters or 'ignore' instructions for external data. \n
- Capability inventory: The framework uses a 'Task' tool and 'TodoWrite' to manage state and execute logic. \n
- Sanitization: Absent; the skill lacks validation or filtering for data passed between sub-agents.
- [COMMAND_EXECUTION] (MEDIUM): The FAQ explicitly suggests that sub-agents can be implemented using high-privilege environments such as Bash, Python, and Node.js. In an orchestration context where one agent processes data for another, this creates a vector for arbitrary command execution if the input data contains malicious instructions.
Audit Metadata