sub-agents
Fail
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's documentation in
references/codex.mdinstructs the user to configure the agent to run withsandbox_permissions: require_escalated. This deliberately bypasses default security sandboxing, granting the script and any sub-agents it spawns access to sensitive host files and session data such as SSH keys or local session states stored in~/.codex/sessions.\n- [COMMAND_EXECUTION]: The scriptscripts/run_subagent.pyusessubprocess.Popento execute external CLI binaries. While the binary names are selected from a fixed list (claude, cursor-agent, codex, gemini), the execution parameters and prompts are derived from user input, allowing for high-privilege operations if the sandbox is escalated.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its design of delegating tasks to sub-agents. \n - Ingestion points: Untrusted data enters the agent context via the
--promptargument inscripts/run_subagent.pyand via agent definition files stored in the.agents/directory.\n - Boundary markers: The script uses simple text headers like
[System Context]and[User Prompt]to separate data, which can be easily bypassed by adversarial input designed to overwrite sub-agent behavior.\n - Capability inventory: The skill has the ability to execute shell commands and file system operations through the external CLIs it invokes in
scripts/run_subagent.py.\n - Sanitization: There is no sanitization or filtering of the prompt content before it is passed to the sub-agent CLI.
Recommendations
- AI detected serious security threats
Audit Metadata