agent-teams
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes functionality to locate and read SQLite cookie databases from the Microsoft Teams desktop application and various Chromium-based browsers (Chrome, Edge, etc.). This is used to extract session tokens (
skypetoken_asm) for authentication. While this involves accessing sensitive application data, it is a documented core feature of the tool. - [CREDENTIALS_UNSAFE]: Extracted authentication tokens are stored in plaintext at
~/.config/agent-messenger/teams-credentials.json. Although the skill sets file permissions to 0600 (owner-only access), the storage of active session tokens on the filesystem presents a risk if the local environment is compromised. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by reading content from Microsoft Teams channels which may be controlled by third parties.
- Ingestion points: Untrusted data enters the agent context via the
agent-teams message listandagent-teams snapshotcommands inSKILL.md. - Boundary markers: The instructions do not define specific delimiters or warnings to the agent regarding embedded instructions in channel messages.
- Capability inventory: The agent has the ability to send messages, upload files, and manage reactions using the
agent-teamsCLI tool. - Sanitization: No explicit sanitization or filtering of channel message content is described in the provided files.
- [COMMAND_EXECUTION]: The skill operates by executing the
agent-teamsCLI tool (part of theagent-messengerpackage) through the Bash tool to perform API interactions.
Audit Metadata