parallel-agents
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core orchestration pattern creates a dangerous surface for indirect prompt injection.\n
- Ingestion points: Sub-agents are explicitly intended for 'research/exploration' tasks where they process external, untrusted content in
SKILL.md.\n - Boundary markers: There are no boundary markers or instructions provided to isolate or escape the untrusted data before it is embedded in prompts or commands.\n
- Capability inventory: Agents are granted shell execution capabilities via the bash template and file system write access for status tracking.\n
- Sanitization: The pattern lacks any sanitization or validation logic for the variable placeholders (
<identifier>,<task-name>) used in shell commands.\n- [Dynamic Execution] (HIGH): The skill promotes the generation and execution of shell commands based on dynamic templates containing untrusted variables.\n - Evidence: The template in
SKILL.mduses: `echo "COMPLETE: - $(date)" >> .claude/cache/-status.txt`.\n
- Risk: An attacker-controlled identifier (e.g., from a malicious research source) could inject additional shell commands using backticks or command substitution, leading to arbitrary command execution on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata