delegate-router
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill explicitly instructs the agent to read from
~/.claude/config/agent-registry.yamland search through directories like~/.claude/skills/and~/.claude/db/. In AI agent environments, the~/.claude/directory is a highly sensitive location that commonly stores authentication tokens, API keys, and private interaction history. Instructions to treat these files as a 'source of truth' create a risk of credential exposure if the agent is prompted to reveal its configuration. - [Indirect Prompt Injection] (HIGH): The skill operates by processing arbitrary user tasks to determine routing logic.
- Ingestion points: Untrusted user input triggers the logic for 'complex tasks' and 'multi-step operations'.
- Boundary markers: None. There are no delimiters or instructions to ignore embedded commands within the tasks being routed.
- Capability inventory: The skill has high-privilege capabilities including reading the local filesystem, invoking external CLIs (
gemini,codex,amp), and spawning background processes viarun_in_background=true. - Sanitization: No validation or sanitization of the 'Task' content is performed before it is passed to sub-agents or external tools, allowing an attacker to embed instructions that hijack the delegated agent's behavior.
- [Unverifiable Dependencies] (LOW): The skill references external CLIs like
geminiandcodex. While these are likely legitimate tools, the skill assumes their presence and correct configuration on the host system without verification.
Recommendations
- AI detected serious security threats
Audit Metadata