Skills
skills/team-attention/plugins-for-claude-natives/team-assemble/Gen Agent Trust Hub

team-assemble

Fail

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Subagents are explicitly configured with mode: "bypassPermissions" as seen in SKILL.md Phase 4 and references/agents.md. This allows these agents to use tools like Bash to execute arbitrary commands on the host system without requesting user approval for each action.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8). 1. Ingestion points: Phase 2 "scouts" read files such as CLAUDE.md, README.md, and source code via Glob and Read tools in references/prompt-templates.md. 2. Boundary markers: The prompt templates in references/prompt-templates.md do not use robust delimiters or instructions to prevent agents from following commands embedded in the files they read. 3. Capability inventory: The skill possesses Bash, Write, Edit, TeamCreate, and TaskUpdate capabilities, and subagents often run in bypassPermissions mode. 4. Sanitization: No sanitization or validation of the codebase content is performed before it is injected into subagent prompts.
  • [EXTERNAL_DOWNLOADS]: The references/enable-agent-teams.md file encourages users to install external software such as tmux via package managers or it2 via a GitHub repository (https://github.com/mkusaka/it2) to enable specific display modes.
  • [COMMAND_EXECUTION]: The setup instructions in references/enable-agent-teams.md guide users to modify sensitive shell configuration files such as ~/.bashrc or ~/.zshrc and the global settings.json file to enable experimental features that grant broader tool execution permissions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 3, 2026, 11:56 AM