claude-subagent-milady-bridge
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: Establishes a read-only context bridge for sub-agents, using local loopback endpoints (
/api/coding-agents/) to prevent external data exposure. - [SAFE]: Contains explicit instructions to avoid sharing sensitive credentials, specifically advising against providing the parent's API key to spawned child agents.
- [SAFE]: Implements a principle of least privilege by restricting sub-agent access to specific GET endpoints for character and memory retrieval without providing write permissions or action delegation.
- [PROMPT_INJECTION]: The skill defines an attack surface for indirect prompt injection by enabling sub-agents to ingest historical memory from the parent runtime.
- Ingestion points: Data enters the sub-agent via the
/api/coding-agents/<sessionId>/memoryandparent-contextendpoints. - Boundary markers: No explicit delimiters or boundary markers are defined in the instructions to isolate untrusted historical data.
- Capability inventory: Target sub-agents (e.g., Claude Code, Aider) typically possess significant capabilities including file system access and shell execution.
- Sanitization: No sanitization, filtering, or validation of the retrieved context is described within the bridge protocol.
Audit Metadata