team-task-coordination
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts provided in the skill (
check-processing-marker.sh,create-processing-marker.sh, andremove-processing-marker.sh) are vulnerable to path traversal. They construct filesystem paths using thetask-idparameter without any sanitization. This allows an attacker to manipulate the agent into creating, reading, or deleting files in arbitrary locations (e.g., using../../in the task ID). Specifically,check-processing-marker.shwill attempt to delete the target file if it fails to read it as a valid JSON marker, which could be exploited to delete critical system or configuration files. - [DATA_EXFILTRATION]: The skill accesses the agent's
~/SOUL.mdfile to retrieve identity information. Additionally, the file coordination logic uses a shared directory path (/root/hiclaw-fs/shared/tasks/) that is not scoped by the resolvedTEAM_NAME, potentially allowing cross-team data access or interference. The path traversal vulnerability further enables the reading of arbitrary files from the filesystem, which could be exposed via the agent's output. - [PROMPT_INJECTION]: The skill exhibits an unsafe attack surface for indirect prompt injection by accepting untrusted task identifiers that are directly used in sensitive shell operations.
- Ingestion points: The
task-idparameter in the coordination scripts. - Boundary markers: None present in the scripts or the instruction manual.
- Capability inventory: File creation (
mkdir), file writing (cat >), file reading (cat), and file deletion (rm) with root-relative paths. - Sanitization: None. The input parameters are used directly within shell strings for path construction.
Audit Metadata