agent-teams
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill defines a framework for inter-agent communication and shared task management that is highly susceptible to indirect injection attacks.
- Ingestion points: Untrusted data enters the execution context through
TaskCreate(subject and description fields) andSendMessage(message content). - Boundary markers: The skill provides no delimiters or instructions to help sub-agents distinguish between data to be processed and instructions to be followed.
- Capability inventory: The skill spawns agents with
subagent_type="general-purpose", granting them full access to workspace tools, including file modification and command execution. - Sanitization: No sanitization, escaping, or validation logic is defined for data moved between agents or stored in the shared task list.
- [Data Exposure] (LOW): The skill identifies and uses configuration paths such as
~/.claude/settings.jsonand internal state directories in~/.claude/teams/. While these involve sensitive locations, the documented usage is limited to standard configuration setup and local state persistence.
Recommendations
- AI detected serious security threats
Audit Metadata