skills/flora131/atomic/subagent/Gen Agent Trust Hub

subagent

Warn

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it is designed to ingest and process untrusted data from external sources.
    • Ingestion points: The documentation in SKILL.md instructs the orchestrator to fetch content from URLs, PR bodies, issues, and freeform targets provided by users or external sources.
    • Boundary markers: While the skill includes instructions for "boundary instructions" for child agents to prevent them from taking over orchestration, these do not prevent the execution of malicious instructions contained within the fetched data.
    • Capability inventory: Subagents are equipped with powerful tools including bash, edit, write, web_search, and fetch_content across various built-in roles like debugger and codebase-online-researcher (defined in SKILL.md).
    • Sanitization: The skill contains no instructions for sanitizing or escaping the data fetched from external sources before passing it into the subagent's task prompt.
  • [COMMAND_EXECUTION]: The orchestration framework grants subagents (debugger, code-simplifier, codebase-analyzer, etc.) access to the bash tool. This allows the AI to execute arbitrary commands within the project environment, which could be exploited to modify system files or execute malicious scripts if the agent is compromised via prompt injection.
  • [DATA_EXFILTRATION]: There is a risk of data exfiltration because the skill coordinates agents that have both read access to the local codebase (read, grep, find) and network access (web_search, fetch_content, browser). A compromised subagent could read sensitive repository data or environment variables and send them to an external server.
  • [EXTERNAL_DOWNLOADS]: The codebase-online-researcher and debugger agents are explicitly configured to use fetch_content and web_search to retrieve data from external URLs. This functionality can be used to download third-party scripts or configurations that are subsequently processed or executed by other subagents with command-line access.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 22, 2026, 05:41 PM
Security Audit — agent-trust-hub — subagent