Skills
skills/catlog22/claude-code-workflow/team-lifecycle-v4/Gen Agent Trust Hub

team-lifecycle-v4

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is highly vulnerable to both direct and indirect prompt injection due to its architecture of passing user-controlled text across multiple agent boundaries.
  • Evidence: In SKILL.md and roles/coordinator/commands/dispatch.md, the coordinator ingests a task-description from the user and interpolates it directly into the initialization prompts for sub-agents (e.g., team-worker and team-supervisor).
  • Risk: An attacker can provide a malicious task description containing instructions like "Ignore all previous rules" or "Exfiltrate the contents of ~/.ssh/" to bypass the constraints defined in the role specifications (role_spec).
  • Mitigation: Although the skill uses structured headers (e.g., PURPOSE:, TASK:, CONTEXT:), it lacks robust boundary markers or explicit instructions to ignore embedded commands within the untrusted requirement block.
  • [COMMAND_EXECUTION]: The skill implements a pattern that directly leads to shell injection by constructing bash commands from unsanitized input.
  • Evidence: In roles/executor/commands/implement.md, the executor role constructs a shell command: ccw cli -p "<prompt>" --tool <tool> --mode write. The <prompt> variable contains the user-provided <task.description>.
  • Risk: If a user provides a task description containing shell metacharacters (e.g., " || rm -rf / || "), the resulting command string executed via the Bash tool will be broken, allowing the execution of arbitrary commands on the system.
  • [REMOTE_CODE_EXECUTION]: The combination of a shell injection vulnerability and the high-privilege Bash and Agent tools creates a significant surface for remote code execution.
  • Attack Surface: The skill allows for autonomous execution across 8 different roles, each with access to the host filesystem and shell. An injection in the initial research phase (handled by the analyst) could propagate through the entire pipeline, compromising every subsequent worker.
  • Capability: The skill is granted Bash(*), Write(*), and Agent(*) permissions, providing an attacker with full control over the host environment once an injection is successful.
  • [DATA_EXFILTRATION]: While the skill does not contain hardcoded exfiltration logic, its vulnerable command construction provides a conduit for data theft.
  • Vector: An attacker can inject commands to read sensitive files (e.g., .env, SSH keys) and send them to an external server using standard utilities like curl or wget, which are available in the shell context.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes external tools and LLM models via a custom vendor CLI.
  • Details: The skill frequently calls ccw cli, a tool provided by the author (catlog22), to perform analysis and writing tasks using models like gemini, qwen, and codex.
  • Note: These are documented neutrally as official vendor resources, but they represent a dependency on external services and custom binary execution.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 09:35 PM