team-tech-debt
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The coordinator role in roles/coordinator/commands/monitor.md dynamically constructs the system prompts for sub-agents by directly interpolating the user-supplied task description. This creates a vulnerability where a user could provide a malicious description designed to override the worker agent's role-specific instructions and manipulate its behavior.\n- [COMMAND_EXECUTION]: Multiple roles, including the executor and validator, use the Bash tool to manage git worktrees and run project-specific tools like npm test or pytest. While these are standard development tasks, the execution of arbitrary scripts from the codebase being analyzed presents a risk if the project contains malicious test or build configurations.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because the scanner role reads arbitrary source code without clear boundary markers or sanitization to prevent the LLM from interpreting malicious instructions hidden in code comments as legitimate tasks for the remediation pipeline.\n
- Ingestion points: Source code files read during the scan phase in roles/scanner/role.md.\n
- Boundary markers: Absent. The prompts do not specify delimiters for code content or instructions to ignore embedded directives.\n
- Capability inventory: Includes filesystem modifications (Edit, Write), command execution (Bash), and sub-agent spawning (Agent tool).\n
- Sanitization: Absent. Post-remediation validation focuses on functionality and regression rather than instruction integrity.
Audit Metadata