tools-claude-code-teams-mcp
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The SKILL.md file provides configuration instructions that require downloading a package from a third-party GitHub repository (git+https://github.com/cs50victor/claude-code-teams-mcp) during setup.- [REMOTE_CODE_EXECUTION]: The setup instructions utilize the uvx tool to directly execute code fetched from the cs50victor/claude-code-teams-mcp repository, which constitutes unvetted remote code execution.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process messages from teammates (sub-agents) via the claude-teams_poll_inbox and claude-teams_read_inbox tools.
- Ingestion points: Teammate messages are retrieved using claude-teams_poll_inbox and claude-teams_read_inbox as described in SKILL.md.
- Boundary markers: There are no explicit delimiters or boundary markers used when processing teammate output.
- Capability inventory: The skill can spawn new agents (claude-teams_spawn_teammate), send messages (claude-teams_send_message), and execute local scripts.
- Sanitization: While the skill instructs the agent to monitor for rogue or unsafe messages and intervene by shutting down the teammate, this relies on LLM interpretation rather than programmatic sanitization.- [COMMAND_EXECUTION]: The sub-skills/experimental-background-monitor.md file encourages the execution of a local Python script (./scripts/opencode-teams-orchestrator.py) and shell commands like opencode serve to facilitate background monitoring.
Audit Metadata