team-assemble
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use
mode: "bypassPermissions"when calling theTasktool for sub-agent execution in Phase 3. This parameter circumvents standard user confirmation prompts for actions performed by the sub-agents, allowing them to execute potentially sensitive operations (such as file modifications or command execution) autonomously. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its multi-agent workflow where outputs from one task are directly interpolated into the prompt of another (e.g.,
{result_1}or{architect_result}). - Ingestion points: The workflow in Phase 3 ingests text results from the
Tasktool into subsequentTaskprompts. - Boundary markers: No explicit delimiters or instructions are provided to the sub-agents to treat the interpolated data as untrusted or to ignore embedded instructions.
- Capability inventory: Sub-agents are configured as "general-purpose" and operate with
bypassPermissions, granting them broad access to perform system-level tasks. - Sanitization: There is no evidence of sanitization, escaping, or validation of sub-agent outputs before they are passed downstream.
- [DATA_EXFILTRATION]: The file
references/prompt-templates.mdcontains a hardcoded absolute file path (/Users/bong/team-attention/deep-thought) within a prompt template. This practice can lead to the unintended exposure of local file system structures to the AI and provides a specific target path for potential unauthorized file operations.
Audit Metadata