explore
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection. It ingests untrusted data from the repository via Grep, Glob, and Read tools and passes it to specialized sub-agents without using boundary markers or explicit instructions to disregard embedded commands.
- Ingestion points: Code snippets and file contents retrieved from the local repository during exploration tasks.
- Boundary markers: None identified in the sub-agent prompts defined in rules/exploration-agents.md or rules/agent-teams-mode.md.
- Capability inventory: The agent possesses capabilities such as Bash execution, file writing (Write), and task management (TaskCreate).
- Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is interpolated into sub-agent prompts.
- [PROMPT_INJECTION]: User-supplied arguments are directly interpolated into the prompts for sub-agents. A user could provide input designed to override the agent's instructions (e.g., including commands like 'ignore all previous instructions' or 'reveal your system prompt') instead of a legitimate exploration topic.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local script scripts/dependency-mapper.sh for static analysis. While the script's logic is benign, any shell script execution using user-influenced path arguments represents a potential command injection surface if the executing agent does not properly sanitize inputs before passing them to the shell environment.
Audit Metadata