agent-factory
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a pattern vulnerable to indirect prompt injection during its worker creation flow. It ingests task data and substitutes it directly into instruction templates.\n
- Ingestion points: The
task['task_instructions'],task['name'], andtask['acceptance']fields from the input task object are used to build the worker's instruction set.\n - Boundary markers: There are no delimiters or protective instructions used when interpolating these variables into the worker templates, allowing injected instructions to potentially hijack the worker's logic.\n
- Capability inventory: Worker agents are dispatched with instructions to execute autonomously without user confirmation and have capabilities to perform file modifications and interact with a project-level message bus.\n
- Sanitization: No escaping or validation is applied to the task metadata before it is written to the ephemeral worker skill file.\n- [COMMAND_EXECUTION]: The skill performs dynamic instruction generation and execution. It writes new
SKILL.mdfiles to the local filesystem and then dispatches an agent to follow those instructions. This "write-then-execute" behavior is inherently risky as it can bypass static analysis of the sub-agent's actions. Additionally, thecleanup_workerfunction usesshutil.rmtreeon a directory path constructed from theworker_id(which includestask['id']). Without proper validation of the task ID, this could be exploited to perform unauthorized directory deletions via path traversal.
Audit Metadata