dispatching-coding-agents
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill encourages the use of security-bypass flags such as
--dangerously-skip-permissionsfor Claude Code and--full-autofor Codex. These flags disable safety prompts and human-in-the-loop (HITL) approvals, allowing sub-agents to execute arbitrary commands without user review. - [DATA_EXFILTRATION]: Provides templates and command examples for transmitting local repository data, architectural details, and
git diffoutput to external AI service providers. This establishes a pattern for large-scale data exposure from the local environment to third-party APIs. - [CREDENTIALS_UNSAFE]: References and directs access to sensitive local storage paths where session logs are kept, including
~/.claude/projects/and~/.codex/sessions/. These files contain comprehensive histories of tool calls, reasoning steps, and potentially sensitive code or environment data. - [PROMPT_INJECTION]: The skill creates a significant surface for indirect prompt injection by ingesting untrusted repository data and passing it to autonomous sub-agents.
- Ingestion points: Reads files from the local filesystem, repository history, and
git diffoutput. - Boundary markers: Uses structural templates like
TASKandCONTEXTbut lacks robust delimiters or instructions for sub-agents to ignore embedded commands within the ingested data. - Capability inventory: The dispatched sub-agents possess broad capabilities, including filesystem access and shell execution, which could be exploited if they obey instructions hidden in project files.
- Sanitization: There is no evidence of sanitization or filtering of external content before it is interpolated into the context provided to sub-agents.
Audit Metadata