squads
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes instructions to install the
uvtool by downloading and executing a script directly from the well-known serviceastral.shvia a shell pipe. - [COMMAND_EXECUTION]: The skill employs Bash tools for system-level tasks, such as managing directory structures and registering agent commands by copying files into system directories.
- [COMMAND_EXECUTION]: The skill implements a persistence mechanism by writing a Node.js monitoring script to the filesystem and modifying the agent's
.claude/settings.local.jsonconfiguration to ensure the script executes during every tool call in future sessions. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing external configuration files without explicit sanitization.
- Ingestion points: The skill reads
squad.yamland.mdagent/task files using theReadandGlobtools. - Boundary markers: The protocol does not specify the use of delimiters or instructions to ignore embedded commands within the ingested files.
- Capability inventory: The skill has access to
Bash,Write, andEdittools to perform system-level modifications. - Sanitization: Contents are parsed and used to influence agent behavior without prior sanitization or validation of the input data.
Recommendations
- AI detected serious security threats
Audit Metadata