team-brainstorm
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for routine directory and file management.
- Evidence: In
roles/coordinator/role.md, the coordinator executesBash("mkdir -p ...")to initialize the session folder structure. This is a legitimate use for managing local workspace artifacts. - [PROMPT_INJECTION]: The skill includes instructions to prevent execution based on stale context, which is a safety best practice.
- Evidence: The
SKILL.mddefines a "COMPACT PROTECTION" rule requiring the coordinator to reload role files if context compression occurs, ensuring it does not operate on incomplete instructions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to the nature of its multi-step agent pipeline.
- Ingestion points: Untrusted data enters the workflow via the user-provided topic description in Phase 1 and is subsequently passed between worker agents (e.g.,
ideatoroutput is read bychallenger). - Boundary markers: The instructions in
role-specs/(e.g.,ideator.md,challenger.md) lack explicit delimiters or instructions to treat the ingested data as untrusted content, making agents susceptible to instructions embedded within the brainstorming topic. - Capability inventory: Agents involved in the pipeline have access to powerful tools including
Bash,Write,Edit, andAgent(for spawning sub-agents). - Sanitization: There is no evidence of input validation or output sanitization performed on the brainstorming data before it is processed by the next agent in the chain.
Audit Metadata