Skills
skills/winsorllc/upgraded-carnival/delegate-agent/Gen Agent Trust Hub

delegate-agent

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill programmatically triggers GitHub Actions workflows by creating Git branches and committing task files via the GitHub API.
  • The createDelegateBranch and spawnDelegateAgent functions in delegate-spawn.js use the GitHub API to create branches, blobs, and commits.
  • This enables the agent to initiate remote execution within the repository's GitHub Actions environment.
  • [CREDENTIALS_UNSAFE]: The skill utilizes a high-privilege GitHub Personal Access Token for authentication.
  • It accesses the GH_TOKEN environment variable to authorize requests to api.github.com.
  • This token grants the agent the ability to perform write operations, such as creating commits and branches, on the remote repository.
  • [COMMAND_EXECUTION]: The skill uses local process management modules to execute scripts and handle sub-processes.
  • delegate-spawn.js imports and utilizes child_process.spawn and child_process.execSync.
  • The test.js file uses execSync to run the skill's CLI tools during testing.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing logs from sub-agents.
  • Ingestion points: The spawnDelegateAgent function in delegate-spawn.js reads session logs from the local logs/ directory using fs.readFileSync.
  • Boundary markers: No delimiters or boundary markers are used to separate sub-agent output from the parent agent's instructions.
  • Capability inventory: The skill can modify remote repositories, trigger CI/CD actions, and execute local commands.
  • Sanitization: The script does not perform sanitization or validation of the log content before extracting and returning the result or text fields.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 05:11 AM