hammer
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection by interpolating untrusted task descriptions and codebase context directly into agent instructions.
- Ingestion points: The variables
{{TASK_DESCRIPTION}}and{{ADDITIONAL_CONTEXT}}are used inreferences/loop-coordinator-prompt.mdto define worker tasks. - Boundary markers: The prompt templates lack explicit delimiters or instructions to prevent agents from obeying commands embedded within the input data.
- Capability inventory: Agents have access to the
teamstool for delegation and thegittool for modifying the local codebase. - Sanitization: No validation or sanitization of the provided task description is performed.
- [COMMAND_EXECUTION]: The skill instructs agents to execute arbitrary build and test commands from the local working directory.
- Evidence: In
references/loop-coordinator-prompt.md, sub-agents are directed to "run build, tests, linting -- actual commands" and "Run tests to verify they pass". This results in the execution of scripts defined in the repository, which could be malicious if the repository content is untrusted.
Audit Metadata