team-roles
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes external code via 'npx skills add ' and 'npx skills install '. This behavior allows for the download and execution of arbitrary code from the npm registry based on user-supplied package names.
- [COMMAND_EXECUTION]: Several shell commands are invoked with parameters derived from user input or remote content. These include 'git clone --depth 1 ', 'find', 'mkdir', 'cp', and 'rm -rf'. The use of 'git clone' on arbitrary URLs provided via the 'add' command is a significant vector for local environment manipulation.
- [EXTERNAL_DOWNLOADS]: The skill fetches content from arbitrary external sources using 'WebFetch' for single files and 'git clone' for repositories. While platforms like GitHub and npm are well-known, the specific content being ingested is untrusted and can influence agent behavior.
- [PROMPT_INJECTION]: The skill serves as an Indirect Prompt Injection surface by downloading and storing Markdown files ('roles') from untrusted sources to define agent personas.
- Ingestion points: Remote roles are fetched from GitHub, direct URLs, and npx packages as described in 'references/add-flows.md'.
- Boundary markers: The '5-Block verification' algorithm in 'SKILL.md' checks for structural tags like and but does not sanitize or validate the instructions within those tags.
- Capability inventory: The skill possesses capabilities to execute subprocesses ('git', 'npx'), write files to the project workspace, and modify '.gitignore'.
- Sanitization: Apart from stripping YAML frontmatter from npx sources, the skill does not filter or sanitize the content of the downloaded instructions, making the agent vulnerable to malicious directions embedded in the roles.
Recommendations
- AI detected serious security threats
Audit Metadata