agent-context-isolation
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill implements an architecture for Indirect Prompt Injection through a multi-agent pipeline using file-based coordination.
- Ingestion points: Downstream agents (Plan, Validate, Implement) read files from
.claude/cache/agents/generated by previous agents (Research, Plan, etc.). - Boundary markers: Absent. The instructions do not recommend the use of delimiters or 'ignore embedded instructions' warnings when reading output from coordination files.
- Capability inventory: The 'Implement agent' is explicitly designed to write to production source code (
src/module.ts). The main agent usesBashfor file discovery and test execution. - Sanitization: Absent. There is no logic provided to escape or validate the contents of agent-generated files before they are interpreted as instructions or data for the next agent stage.
- COMMAND_EXECUTION (MEDIUM): The skill utilizes shell commands to manage the agent pipeline.
- Evidence: Use of
Bash("ls -la ..."),Bash("bun test"), andBash("find ...")to poll and verify the state of sub-agents. If sub-agents generate malicious filenames or output, these commands could be exploited depending on how the agent processes the results.
Recommendations
- AI detected serious security threats
Audit Metadata