delegation-core
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
shared-shell-execution.mdmodule defines aCommandBuilderandExecutionEnginethat construct and run shell commands for external LLM CLI tools (e.g.,gemini,qwen). This system builds command strings through concatenation of service prefixes, prompts, and file lists. Without explicit evidence of argument escaping or sanitization, this pattern is highly susceptible to command injection if file paths or prompt content contain shell metacharacters. - [DATA_EXFILTRATION]: The skill is designed to send local code, logs, and data to external service providers for processing. While this is the intended functionality of a delegation framework, it creates a significant surface for data exposure. Users must ensure that the external services (Gemini, Qwen, etc.) are trusted and that sensitive data is filtered as recommended in the 'Red Flags' section of
modules/task-assessment.md. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing arbitrary data from the local environment through external models.
- Ingestion points: The skill reads and transmits local project files (
src/**/*) as context for delegation requests. - Boundary markers: The provided templates in
modules/handoff-patterns.mddo not include clear delimiters or 'ignore' instructions to prevent the external model from following instructions embedded in the processed files. - Capability inventory: The system can execute arbitrary shell commands via the
ExecutionEngineandCommandBuilderinshared-shell-execution.md. - Sanitization: No sanitization logic for handling untrusted file content or shell arguments is specified in the framework.
Audit Metadata