orchestration
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends using
bunx ccrecall syncinreferences/task-management.md, which fetches theccrecallpackage from the public npm registry at runtime without version verification. - [REMOTE_CODE_EXECUTION]: Execution of the
ccrecallpackage viabunxconstitutes dynamic loading and execution of remote code from a non-trusted source. - [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to synchronize analytics data, involving the
bunxpackage runner. - [DATA_EXFILTRATION]: The
ccrecall syncoperation reads team configuration data from~/.claude/teams/and transmits it to an external service for analytics purposes. - [PROMPT_INJECTION]: The skill describes patterns where agents ingest untrusted codebase content to generate tasks, creating a surface for indirect prompt injection. Ingestion points: Agents are tasked with reading files such as
src/auth/or CI logs to gather context for further actions. Boundary markers: The skill recommends using a 'Worker preamble' (e.g., 'CONTEXT: You are a WORKER agent...') and file partitioning to restrict agent behavior. Capability inventory: Tools likeTaskCreateandTeamCreateprovide the ability to read/write files and execute delegated tasks. Sanitization: No technical sanitization or escaping of ingested file content is specified before it is interpolated into sub-agent prompts.
Audit Metadata