custom-sub-agents
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
AgentRegistryand itsdiscoverAgentsfunction (detailed inreferences/05-advanced-patterns.mdandreferences/07-project-organization.md) implement an auto-discovery mechanism that dynamically loads JavaScript modules usingrequire()from paths generated by scanning the file system. This pattern of dynamic loading from computed paths poses a security risk, as it could be exploited to execute arbitrary code if an attacker is able to influence the directory structure or place malicious files in the scanned paths. - [PROMPT_INJECTION]: The architectural guidelines (e.g., in
references/01-agent-folder-structure.md) create a surface for indirect prompt injection by processing untrusted data with privileged tools. Ingestion points: Untrusted data enters the agent context through API endpoints and file system reads (references/01-agent-folder-structure.md). Boundary markers: Delimiters for external data are absent in the base templates. Capability inventory: The agents are designed with significant capabilities including database execution, file writing, and network operations (references/01-agent-folder-structure.md,references/04-testing-tools.md). Sanitization: While the framework provides aValidationToolexample (references/04-testing-tools.md), the safety of the architecture depends on the consistent application of these validation patterns. - [COMMAND_EXECUTION]: The documentation for an
AgentCliToolinreferences/08-integration-deployment.mddemonstrates a command-line interface implementation. This tool is intended for management and execution of agents, which involves processing command-line inputs to trigger logic and potentially execute system-level operations, requiring robust input validation to prevent command injection.
Audit Metadata