role-creator
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates and executes a shell command (agent-team role create) by interpolating user-provided text into command flags such as --description and --system-goal. Without explicit sanitization or escaping of shell metacharacters, this pattern presents a command injection vulnerability.
- [DATA_EXFILTRATION]: The skill attempts to access the ~/.claude/skills/ directory to check for existing roles. Reading from hidden application configuration directories in the user's home path is a sensitive operation that can expose details of the local environment.
- [PROMPT_INJECTION]: This skill provides a surface for indirect prompt injection by generating system instructions and skill metadata from unvalidated user input.
- Ingestion points: User-provided natural language fields for role description and system goals (Step 2).
- Boundary markers: The template structure for the generated system.md and SKILL.md files lacks explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can execute the agent-team CLI and write files to the repository.
- Sanitization: Input validation is limited to normalizing the role name to kebab-case, with no sanitization for descriptions or goals.
Audit Metadata