team-coordinate-v2
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The subagents/discuss-subagent.md file defines a Bash command template that interpolates into a shell command: ccw cli -p '... Artifact: '. This pattern is susceptible to shell injection if the artifact content, which may be derived from external sources or user input, contains single quotes or other shell metacharacters.
- [PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface (Category 8). \n- Ingestion points: roles/coordinator/commands/analyze-task.md (user task descriptions), subagents/discuss-subagent.md (task artifacts), and subagents/explore-subagent.md (codebase content). \n- Boundary markers: Absent. Instructions and data are interpolated into templates in specs/role-spec-template.md and subagents/discuss-subagent.md without clear delimiters or 'ignore embedded instructions' warnings. \n- Capability inventory: The skill uses Bash, Write, Edit, and Task (to spawn new agents), providing high-impact capabilities if an injection occurs. \n- Sanitization: No evidence of input validation, escaping, or output filtering is present in the orchestration logic.
- [EXTERNAL_DOWNLOADS]: The subagents/explore-subagent.md utility utilizes WebSearch as a priority tool for gathering information, which allows the agent to fetch and process data from external, non-whitelisted domains.
Audit Metadata