audit-agent-lifecycle
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands by interpolating untrusted text responses from sub-agents directly into a command string (e.g.,
node ... --capabilities 'CAPABILITIES_TEXT'). This pattern is susceptible to command injection if the sub-agent output contains shell metacharacters or escape sequences. - [COMMAND_EXECUTION]: The workflow relies on the execution of local Node.js scripts (
update-agent-map.mjs,populate-agent-descriptions.mjs) found within the plugin root, which perform filesystem and data management operations. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading and reasoning over the contents of agent configuration files (
agents/*.md) which are provided by the user or external plugin. Maliciously crafted content in these files could influence the auditor's findings or be passed to refactoring sub-agents. - Ingestion points: Agent files located in the
agents/directory and their associated YAML frontmatter. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing the content of these external files.
- Capability inventory: The skill has the ability to execute shell commands via Node.js, write reports and dependency graphs to the filesystem (
.claude/audits/), and delegate tasks to other agents via theAgenttool. - Sanitization: No explicit sanitization or validation of the content extracted from audited agent files is described before it is used to drive analysis or command arguments.
Audit Metadata