worker
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by directing the agent to execute instructions from untrusted external sources.
- Ingestion points: The agent is explicitly instructed to read and follow instructions from several files:
inbox.md,mailbox/<workerName>.json, andtask-<id>.json. - Boundary markers: The protocol lacks explicit delimiters or instructions to treat the content of these external files as untrusted data rather than system commands.
- Capability inventory: While the skill itself only lists MCP tools for state management (
team_send_message,team_claim_task, etc.), it instructs the agent to "do the work" described in task files, which may involve the use of other powerful tools (filesystem access, shell execution) if available to the agent. - Sanitization: There is no mention of sanitization, validation, or filtering of the content received via the team's mailbox or task queue.
Audit Metadata