Delegation
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains instructions for executing a local utility script via
bun runlocated at~/.claude/skills/Agents/Tools/ComposeAgent.tsto facilitate agent identity generation. - [COMMAND_EXECUTION]: An execution logging workflow is defined that appends task metadata to a local JSONL file (
~/.claude/PAI/MEMORY/SKILLS/execution.jsonl) using shell append operations. - [PROMPT_INJECTION]: The skill defines patterns for passing prompts and context to subagents and teams, which represents an inherent surface for indirect prompt injection:
- Ingestion points: User-provided task descriptions and message content (e.g., in
Task()andSendMessage()) are processed as instructions for subordinate agents. - Boundary markers: Delimiters or instructions to ignore embedded content are not explicitly defined in the provided orchestration examples.
- Capability inventory: Subagents created via these patterns have capabilities spanning file system access, shell execution, and tool usage depending on the agent type (e.g.,
EngineerorArchitect). - Sanitization: No input validation or escaping mechanisms are described for the data passed between agents in the documented workflows.
Audit Metadata