create-agent
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill provides shell command templates that use unvalidated user input. Evidence: In SKILL.md, the commands 'touch .claude/agents/{name}.md' and 'mkdir -p .claude/agents/{name}/references' directly interpolate the {name} variable. If an attacker provides a malicious string for the name, it could lead to command injection on the host system.
- EXTERNAL_DOWNLOADS (LOW): The documentation encourages downloading and running external packages via npx. Evidence: references/schema.md includes an example for mcpServers using 'npx -y @example/mcp-server'.
- PROMPT_INJECTION (LOW): The skill possesses a vulnerability surface for indirect prompt injection. 1. Ingestion points: User-provided name and description fields. 2. Boundary markers: Absent in the bash command templates. 3. Capability inventory: Bash tool usage for file system operations. 4. Sanitization: Absent; the skill does not instruct the agent to sanitize or escape user input before shell execution.
- COMMAND_EXECUTION (MEDIUM): The skill documents high-privilege configuration options that bypass safety controls. Evidence: 'permissionMode: bypassPermissions' is documented in references/schema.md, which allows sub-agents to bypass all user confirmation prompts, significantly increasing the potential impact of automated malicious actions.
Audit Metadata