team-harness
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill suggests using the
--dangerously-skip-permissionsflag for team sessions. While this is a feature of the underlying platform (Claude Code), it explicitly removes the human-in-the-loop security control, allowing autonomous agents to execute potentially harmful actions without individual confirmation. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its architecture for setting up specialized agent teams.
- Ingestion points: The
/team setupcommand instructs the agent to read untrusted project files such asREADME,CLAUDE.md, andpackage.json(or equivalent) to understand the project context and fill template placeholders. - Boundary markers: The generated agent definitions (
engineer.md,qa-tester.md,dev-watcher.md) do not include boundary markers or explicit instructions to ignore potentially malicious commands embedded within the project context placeholders. - Capability inventory: The spawned agents (Engineer, QA Tester, etc.) have significant capabilities, including reading/writing source code, executing build commands, and using browser automation tools (Playwright).
- Sanitization: No sanitization or validation of the content read from project files is performed before it is interpolated into the prompts used to define sub-agent behavior.
Audit Metadata