agent-teams
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an orchestration workflow where agents exchange messages and share task lists, creating a surface for indirect prompt injection.
- Ingestion points: Agents ingest data from external sources (other agents) via the
SendMessagetool and shared state viaTaskListand config files in~/.claude/teams/. - Boundary markers: There are no explicit delimiters or instructions provided to ignore or isolate potentially malicious commands embedded in inter-agent messages.
- Capability inventory: Agents are granted file system access (Read, Glob, Grep, TodoWrite) and can spawn or coordinate further sub-agents, which could be abused if an agent is influenced by malicious input.
- Sanitization: The instructions do not describe sanitization or validation of the content received through the messaging system.
- [SAFE]: The skill includes an 'Out-of-scope discovery protocol' that instructs agents to immediately stop and report if they find a need to modify files outside their assigned write scope, which is a defensive best practice.
- [SAFE]: The skill identifies a known vendor-related path resolution bug (issue #1091) and provides a technical workaround using absolute paths to prevent accidental file corruption.
Audit Metadata