agent-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests user requirements and scenarios to generate executable agent configurations. This surface can be exploited to create malicious sub-agents with hidden capabilities.
- Ingestion points: User-provided goals and specific scenarios (SKILL.md Step 1).
- Boundary markers: Absent; user input is directly used to formulate the sub-agent's identity and behavior.
- Capability inventory: Ability to write persistent configuration files to
.claude/agents/and~/.claude/agents/, and configure shell-based execution hooks. - Sanitization: No validation or sanitization of user-provided logic or scripts before implementation.
- [Privilege Escalation] (HIGH): The skill provides explicit instructions and templates for using
bypassPermissions,permissionMode: dontAsk, andpermissionMode: bypassPermissions. These settings allow sub-agents to perform actions like file editing and command execution without the user's explicit consent for each action. - [Persistence Mechanisms] (HIGH): The skill automates writing agent definitions to the user's global agent directory (
~/.claude/agents/). This allows a sub-agent created during a single session to persist and be active across all future projects and sessions for that user. - [Dynamic Execution] (MEDIUM): The skill facilitates the configuration of
hooks(PreToolUse and PostToolUse) that execute shell commands (e.g.,command: "./scripts/run-linter.sh"). While the provided examples are benign, the mechanism allows for arbitrary command execution whenever specific tools are used by the generated sub-agent.
Recommendations
- AI detected serious security threats
Audit Metadata