cross-agent-delegation
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various local binaries (
kimi,codex,icpg,mnemos) and references several shell scripts (codex-auto-review.sh,tdd-loop-check.sh,icpg-stop-record.sh,mnemos-checkpoint.sh) to perform environment detection, complexity scoring, and delegated agent execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during its delegation phase. It ingests data from the filesystem and session state via
icpgandmnemos(Ingestion points) and interpolates this content directly into the prompt for thekimisub-agent. The skill lacks boundary markers or explicit isolation instructions (Boundary markers absent) and does not perform any escaping or validation of the ingested content (Sanitization absent). This provides a surface where malicious code within an analyzed file could influence the behavior of the sub-agent (Capability inventory: execution ofkimiwith dynamic prompts).
Audit Metadata