subagent
Warn
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it is designed to ingest and process untrusted data from external sources.
- Ingestion points: The documentation in SKILL.md instructs the orchestrator to fetch content from URLs, PR bodies, issues, and freeform targets provided by users or external sources.
- Boundary markers: While the skill includes instructions for "boundary instructions" for child agents to prevent them from taking over orchestration, these do not prevent the execution of malicious instructions contained within the fetched data.
- Capability inventory: Subagents are equipped with powerful tools including
bash,edit,write,web_search, andfetch_contentacross various built-in roles likedebuggerandcodebase-online-researcher(defined in SKILL.md). - Sanitization: The skill contains no instructions for sanitizing or escaping the data fetched from external sources before passing it into the subagent's task prompt.
- [COMMAND_EXECUTION]: The orchestration framework grants subagents (
debugger,code-simplifier,codebase-analyzer, etc.) access to thebashtool. This allows the AI to execute arbitrary commands within the project environment, which could be exploited to modify system files or execute malicious scripts if the agent is compromised via prompt injection. - [DATA_EXFILTRATION]: There is a risk of data exfiltration because the skill coordinates agents that have both read access to the local codebase (
read,grep,find) and network access (web_search,fetch_content,browser). A compromised subagent could read sensitive repository data or environment variables and send them to an external server. - [EXTERNAL_DOWNLOADS]: The
codebase-online-researcheranddebuggeragents are explicitly configured to usefetch_contentandweb_searchto retrieve data from external URLs. This functionality can be used to download third-party scripts or configurations that are subsequently processed or executed by other subagents with command-line access.
Audit Metadata