sub-agents
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/run_subagent.pyexecutes external AI command-line tools likeclaude,codex, andgeminiusingsubprocess.Popen. This mechanism allows the skill to run arbitrary commands within the environment provided by these external agents.\n- [COMMAND_EXECUTION]: For users of the Codex environment, the skill specifically instructs the use ofrequire_escalatedpermissions inreferences/codex.md. This bypasses standard sandbox restrictions to allow access to local session files, presenting a privilege escalation surface.\n- [PROMPT_INJECTION]: The skill is designed to handle untrusted user input and combine it with file-based context, creating a significant indirect prompt injection surface.\n - Ingestion points: Processes user-provided strings via the
--promptargument and reads agent definition files from the.agents/directory.\n - Boundary markers: Relies on simple text-based headers like
[System Context]and[User Prompt]to separate instructions, which can be easily circumvented by adversarial inputs.\n - Capability inventory: The sub-agents invoked have the ability to execute code, read files, and interact with external APIs.\n
- Sanitization: The script performs no content validation or escaping of the user-provided prompt before execution.\n- [CREDENTIALS_UNSAFE]: The script accesses the
CLI_API_KEYenvironment variable and passes it as a command-line argument (-a) when invokingcursor-agent. This practice makes the secret key visible in the system's process list to other users or applications.\n- [DATA_EXFILTRATION]: The skill accesses sensitive session information at~/.codex/sessions. While intended for context sharing between agents, this access to private session metadata constitutes a potential data exposure risk.
Audit Metadata