agent-to-agent
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture establishes a surface for indirect prompt injection through its shared context mechanism.
- Ingestion points: Agents ingest data and task instructions from a shared file named .a2a-context.json (SKILL.md Sections 2.1, 4.1).
- Boundary markers: The protocol utilizes structured JSON schemas to define message types, which provides a layer of data/instruction separation but does not prevent malicious payloads in data fields (SKILL.md Section 1.1).
- Capability inventory: Participating agents are granted access to high-impact tools such as Bash, Write, and Agent (SKILL.md Frontmatter).
- Sanitization: There is no explicit requirement or mechanism within the protocol for agents to sanitize or validate external data (e.g., web research findings) before writing it to the shared context file used by other agents.
- [COMMAND_EXECUTION]: The framework permits the execution of shell commands through automated agent workflows.
- Evidence: The protocol defines templates for Code and Review agents that explicitly utilize the Bash tool for implementation, debugging, and testing tasks (SKILL.md Section 3.3).
Audit Metadata