subagents-creator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill's framework for creating subagents (e.g.,
librarian,explore) facilitates the ingestion of data from untrusted external sources, creating a vulnerability surface.\n - Ingestion points: As described in
references/subagent-types.md, thelibrarianagent fetches from "docs, OSS, web" and theexploreagent reads from the local codebase.\n - Boundary markers: The skill mandates a 7-section delegation structure (documented in
SKILL.md) that includes a "MUST NOT DO" section to define forbidden actions and mitigate potential rogue behavior from processed content.\n - Capability inventory: Subagents are granted access to tools such as
webfetch,GitHub CLI,Grep, andReadvia thebackground_taskorchestration system.\n - Sanitization: The skill relies on natural language constraints (the "MUST NOT DO" section) rather than programmatic sanitization or escaping of ingested data.\n- [No Code] (SAFE): The skill consists entirely of markdown files and does not contain any executable scripts, binary files, or automated installation procedures.
Audit Metadata