Skills
skills/team-attention/hoyeon/council/Gen Agent Trust Hub

council

Warn

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute shell commands for retrieving content from git, gh (GitHub CLI), and platform-specific utilities like hoyeon-cli and codex.
  • [REMOTE_CODE_EXECUTION]: The skill dynamically spawns multiple sub-agents using the Agent tool. These calls explicitly include the parameter mode="bypassPermissions", which attempts to override or circumvent standard permission constraints for the sub-agents within the platform environment.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for Indirect Prompt Injection (Category 8). It ingests untrusted data from local files, git diffs, and GitHub PRs and interpolates that content directly into the system prompts of sub-agents.
  • Ingestion points: Phase 1 collects data using Read(), gh pr diff, and git diff in SKILL.md.
  • Boundary markers: Absent; while markdown headers are used, there are no explicit XML tags or 'ignore nested instructions' markers around the interpolated [full topic content] variable.
  • Capability inventory: Sub-agents (panelists and judges) have access to SendMessage, Bash, Read, and other sensitive tools, which could be abused if an injection is successful.
  • Sanitization: No sanitization, escaping, or validation of the external content was detected before it is passed to the sub-agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 8, 2026, 11:01 AM