Agents
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. User-provided task descriptions are interpolated into sub-agent prompts using unescaped Handlebars syntax ('{{{task}}}'), which allows an attacker to potentially break out of the intended prompt structure and override sub-agent behavior.
- Ingestion Points: The '--task' CLI argument in 'Tools/AgentFactory.ts' and 'Tools/ComposeAgent.ts' serves as the primary entry point for untrusted data.
- Boundary Markers: While the 'Templates/DynamicAgent.hbs' template uses Markdown headers (e.g., '## Your Task') to separate the task from other instructions, these are insufficient to prevent a sophisticated injection from influencing the sub-agent's 'Operational Guidelines'.
- Capability Inventory: The agents created by this skill (Architect, Engineer, Researcher, etc.) possess significant capabilities, including file system access, command execution, and tool usage, which increases the potential impact of a successful injection.
- Sanitization: No validation, escaping, or sanitization of the 'task' string is performed before it is rendered into the final system prompt for the sub-agent.
Audit Metadata