code-review-team
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill utilizes the 'bypassPermissions' mode when spawning worker agents via the Task tool in 'references/team-spawn.md'. This is an intentional privilege escalation that bypasses configured safety and permission boundaries, allowing sub-agents to perform sensitive operations like file modification or tool execution without standard oversight.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes untrusted project data to guide agent behavior. 1. Ingestion points: 'CLAUDE.md', '.claude/settings.json', and project source code via 'git diff'. 2. Boundary markers: Absent; project-sourced rules are directly interpolated into worker prompts without delimiters or instructions to ignore embedded commands. 3. Capability inventory: Sub-agents have 'Read', 'Edit', and 'git' access, along with the ability to report status via 'SendMessage'. 4. Sanitization: None; the skill assumes all content in project configuration files is safe and authoritative.
Recommendations
- AI detected serious security threats
Audit Metadata