subagents-management
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Python scripts to perform file system operations such as listing, creating, moving, and deleting markdown and TOML configuration files in user and project directories (~/.claude/agents/, ~/.codex/agents/, etc.).
- [COMMAND_EXECUTION]: Includes a deletion script (delete_subagent.py) with a --force flag. However, the skill instructions explicitly mandate using the AskUserQuestion tool for manual user confirmation before any deletion occurs, mitigating the risk of accidental or unauthorized file removal.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it allows the agent to generate subagent configuration files containing system prompts derived from user-supplied input. If a user provides a malicious prompt, it will be saved as the subagent's instruction set, which could influence the behavior of that subagent when invoked later.
- Ingestion points: User-provided text via the --prompt and --description arguments in create_subagent.py.
- Boundary markers: No explicit boundary markers or protection against embedded instructions are used in the generated subagent markdown files.
- Capability inventory: Scripts for file creation, movement, and deletion are present (create_subagent.py, move_subagent.py, delete_subagent.py).
- Sanitization: Basic alphanumeric validation is performed on the subagent name, but the prompt content is interpolated without sanitization into the final configuration file.
Audit Metadata