managing-agents
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill implements a workflow system where the output of one agent (e.g., a 'security-scanner') is passed directly to another agent (e.g., 'general-purpose') for analysis using syntax like
Analyze {findings}. This creates a high-severity injection surface where malicious data in the '{findings}' variable can override the instructions of the subsequent agent. - Ingestion points: Workflow step outputs and file content from
temp-agents/andagents/directories. - Boundary markers: None visible in the provided prompt interpolation examples.
- Capability inventory: The system executes agents that have access to tools like
Grep,Read, andEdit(file system modification). - Sanitization: No evidence of sanitization or escaping for the
{findings}placeholder. - [Data Exposure & Exfiltration] (HIGH): The file
external-agents.jsonandavailable-agents.mdexplicitly reference and manage files in the~/.claude/directory. Accessing the user's home directory configuration files for AI agents is a sensitive operation that exposes local configuration and potentially sensitive agent definitions. - [Command Execution] (MEDIUM): The skill enables the creation and execution of custom agents with file system tools (
Read,Grep,Edit). While this is a core feature, the lack of strict boundaries around the instructions these agents follow when processing external data increases the risk of unauthorized file modifications.
Recommendations
- AI detected serious security threats
Audit Metadata