helmer
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It accepts user-supplied business descriptions and incorporates them into prompts for sub-agents without using boundary markers or sanitization.
- Ingestion points: Business descriptions provided by users via
$ARGUMENTSinSKILL.mdare passed to specialist agents. - Boundary markers: The skill does not use specific delimiters or instructions to help the sub-agents distinguish between developer instructions and user-provided data.
- Capability inventory: The sub-agents are granted access to sensitive tools including
Bash,Write,Edit, andTeamCreate. - Sanitization: No filtering or validation is performed on the input before it is used to generate tasks for the sub-agents.
- [COMMAND_EXECUTION]: The skill utilizes the
bashtool to perform a configuration check by echoing an environment variable (CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS). This is used to dynamically determine the agent spawning strategy and is a benign use of system commands.
Audit Metadata