agent-teams
Fail
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill repeatedly instructs both the user and the agent to use the
--dangerously-skip-permissionsflag when launching sub-agent sessions. This configuration explicitly removes security guardrails and mandatory permission prompts, allowing sub-agents to execute any file system or network operation without user oversight. - [COMMAND_EXECUTION]: Implements a hook system (
TeammateIdle,TaskCompleted) designed to execute arbitrary shell commands or local scripts (e.g.,./scripts/verify-task.sh). This enables the execution of unverified code within the project directory triggered by agent state changes. - [COMMAND_EXECUTION]: The orchestration logic relies on spawning terminal processes (
Ghostty,iTerm2,tmux) via shell execution. This pattern creates an attack surface where input used to define worktree paths or branch names could potentially be manipulated to inject malicious command arguments. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because the lead agent processes unvetted data from git commit logs and status files (
.agent-status). Evidence: Ingestion points includegit logand.agent-status(SKILL.md). Boundary markers are absent in the provided WORKTREE_TASK.md templates. Capabilities include extensive shell access and agent spawning. Sanitization of the ingested logs/status strings is not present in the workflow logic. A malicious actor could commit code with a message designed to hijack the lead agent's orchestration logic when it reviews the 'DONE' status.
Recommendations
- AI detected serious security threats
Audit Metadata