team-init
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes a "Remote Roles" feature that allows users to supply arbitrary GitHub repository URLs or npx package names. The skill then installs and executes these roles as sub-agents. This allows for the execution of unverified external code within the agent's environment.
- [COMMAND_EXECUTION]: When spawning sub-agents, the skill explicitly uses the
mode: "bypassPermissions"configuration. This grants the spawned agents elevated authority, potentially allowing them to perform actions that would otherwise be restricted, increasing the impact of a compromised or malicious role definition. - [PROMPT_INJECTION]: The skill reads role definitions and workflows from the user's local workspace (specifically the
.teams/directory) and injects the raw file content into sub-agent prompts using tags like<your_role>and<workflow>. There is no evidence of sanitization or validation of this content, making the system vulnerable to indirect prompt injection if an attacker can influence the files in the workspace (e.g., through a separate Git pull or a malicious script).
Audit Metadata