team-interactive-craft
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its orchestration logic. The coordinator agent interpolates untrusted user input into the system prompt used to spawn sub-agents.
- Ingestion points: User-supplied task descriptions passed via arguments to SKILL.md and managed in roles/coordinator/role.md.
- Boundary markers: No explicit delimiters or instruction isolation (e.g., 'ignore embedded instructions' warnings) are used around the variable in the Agent spawn prompt template.
- Capability inventory: Spawned sub-agents have access to powerful tools including Bash, Write, Edit, and Agent.
- Sanitization: No sanitization or validation of the input text is documented before it is interpolated into sub-agent prompts.
- [COMMAND_EXECUTION]: The skill performs shell command execution to support its workflow. The coordinator role uses Bash to resolve the current working directory in roles/coordinator/role.md, and the researcher role is instructed to use a CLI tool (ccw cli) for codebase analysis in roles/researcher/role.md.
- [DYNAMIC_EXECUTION]: The skill performs dynamic instruction generation. The handleAdapt logic in roles/coordinator/commands/monitor.md generates new role specification files at runtime to address detected capability gaps. These files are then used as authoritative instructions for newly spawned agents.
- [DYNAMIC_EXECUTION]: The skill uses dynamic file path construction to load role instructions. Both SKILL.md and roles/coordinator/commands/monitor.md compute paths to instruction files using a variable role name (e.g., roles//role.md), which is a pattern associated with dynamic loading from computed paths.
Audit Metadata