team-executor-v2
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design, as it relies on external session files to determine agent behavior.
- Ingestion points: The skill ingests untrusted data from the user-provided
--sessionpath, specifically readingteam-session.json,task-analysis.json, and multiple markdown files within therole-specs/directory. - Boundary markers: The prompt used to spawn
team-workersubagents ("Read role_spec file to load Phase 2-4 domain instructions") lacks delimiters or explicit instructions to treat the file content as data rather than instructions, potentially allowing a malicious role-spec to hijack the subagent's logic. - Capability inventory: The skill possesses significant capabilities including spawning background subagents (
Task), executing shell commands (Bash), and modifying the file system (Write,Edit). - Sanitization: Validation is limited to structural checks (verifying file existence and JSON schema). The skill does not sanitize the natural language instructions or parameters loaded from the session files before passing them to the subagents.
Audit Metadata