Skills
skills/idencosmos/idencosmos-agent-skills/project-agent-factory/Gen Agent Trust Hub

project-agent-factory

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It instructs the agent to fetch documentation from external URLs (official docs, GitHub, and arbitrary web sources) to inform the creation of sub-agent 'developer_instructions'. A malicious source could contain instructions that influence the generated sub-agent's behavior.
  • Ingestion points: External URLs are fetched in Step 2 and summarized for the agent plan (SKILL.md, references/multi-agent-case-sources.md).
  • Boundary markers: The skill uses triple quotes for generated instruction blocks and hardcoded file path constraints, providing some basic separation.
  • Capability inventory: The skill executes bash scripts, modifies project configuration, and creates sub-agents that may have 'workspace-write' or 'danger-full-access' privileges.
  • Sanitization: While the skill provides robust TSV schema validation using awk in Step 3.5, it does not explicitly sanitize the natural language content extracted from external URLs before incorporating it into agent instructions.
  • [COMMAND_EXECUTION]: The skill relies on extensive shell command execution for its core functionality. It directs the agent to use git, mkdir, cat, rg, awk, and comm to perform deep project analysis, set up run directories, and validate structured data. While intended for functionality, this grants the agent broad interaction with the local file system and environment.
  • [EXTERNAL_DOWNLOADS]: The workflow requires the agent to access external URLs to retrieve configuration patterns and official documentation. This includes well-known services (OpenAI, GitHub, Microsoft) and potentially any URL provided in the case sources, which could lead to the ingestion of untrusted content.
  • [COMMAND_EXECUTION]: The skill facilitates the creation of sub-agents with the danger-full-access sandbox mode configuration. This grants the generated agents significant permissions, which could be hazardous if those sub-agents are subsequently compromised or given malicious instructions through the documentation ingestion process.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 03:31 AM