team-executor
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted user 'braindumps' and external skill descriptions which are then interpolated into prompts for subagents. * Ingestion points: Raw user input is captured in Phase 1, Step 1 of SKILL.md, and local/system skill files are scanned in Step 2 using the scan-project.sh script. * Boundary markers: The skill uses structured markdown files (docs/plans/goal-analysis.md) as a reference, which provides minimal separation but lacks robust delimiters or specific instructions for subagents to ignore malicious commands hidden within the ingested text. * Capability inventory: The framework spawns subagents with broad permissions to write files, execute shell commands, and modify the codebase autonomously ('no human intervention required'). * Sanitization: There is no evidence of input sanitization or filtering for the content extracted from user inputs or discovered skill files.
- [COMMAND_EXECUTION]: The skill executes local shell scripts (scan-project.sh and init-plan-dirs.sh) to gather project context and initialize directories. These scripts perform operations using standard system tools like find, sed, tree, and mkdir to discover existing project structure and available skills across the system.
Audit Metadata