create-agent
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill identifies a surface for indirect prompt injection (Category 8). It collects user input for an agent's 'Description' and 'Tools' and writes them into a new markdown file that defines the subagent's behavior.
- Ingestion points: User input collected in step 3 ('描述' and '工具').
- Boundary markers: Absent. The logic '插入用户输入' (insert user input) into a template does not specify the use of delimiters or 'ignore' instructions to prevent the subagent from obeying commands embedded in the description.
- Capability inventory: The skill uses
Write,Read,Bash, andGlobtools. - Sanitization: Only the
agent-nameis validated against a regex. The description and tools fields lack sanitization, allowing for potential instruction injection in the generated file. - COMMAND_EXECUTION (SAFE): The skill lists the
Bashtool as allowed. While this is a high-privilege tool, the execution logic is restricted to checking for the existence of directories (.claude/) and initializing standard plugin structures. No evidence of shell injection or arbitrary command execution from external sources was found in the provided logic.
Audit Metadata