team-assemble
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to launch subagents (scouts and execution agents) using the
mode: "bypassPermissions"configuration. This bypasses the platform's human-in-the-loop safety requirement, allowing automated agents to perform potentially destructive actions via theBash,Write, andEdittools without user approval. - [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It uses Phase 2 'scouts' to ingest untrusted content from the codebase which is then used to dynamically generate prompts for worker agents in Phase 4. Malicious instructions hidden in source code or documentation could be processed and followed by agents running in bypass mode.
- [PROMPT_INJECTION]: Evidence Chain for Indirect Prompt Injection Surface:
- Ingestion points: Codebase files (CLAUDE.md, README.md, source files) are read by scout agents in Phase 2 and interpolated into execution prompts in Phase 4.
- Boundary markers: The templates in
references/prompt-templates.mduse markdown headers (e.g.,## Context,## Goal) but lack explicit instructions for agents to ignore embedded commands or instructions within the interpolated data. - Capability inventory: The agent team has full access to
Bash,Write,Edit,Agent, andTeamCreatetools. - Sanitization: No sanitization or escaping of the codebase content is performed before it is injected into subagent prompts.
- [PROMPT_INJECTION]: The prompt templates in
references/prompt-templates.mddo not implement robust defense-in-depth measures against prompt injection, relying on the agent's ability to distinguish between instructions and data without explicit delimiters.
Audit Metadata