Skills
skills/starchild-ai-agent/official-skills/agent-builder/Gen Agent Trust Hub

agent-builder

Fail

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The AgentBuildTool is vulnerable to Python code injection. It generates executable scripts (run.py) by performing string replacement on templates, injecting the user-provided display_name directly into a triple-quoted docstring without sanitization. An attacker can break out of the docstring (e.g., by providing a display name containing """) to execute arbitrary Python commands when the platform's task scheduler runs the script.
  • [REMOTE_CODE_EXECUTION]: The skill dynamically generates and overwrites Python scripts in the platform's tasks/ directory. This dynamic code generation, combined with the injection vulnerability noted above, allows for persistent arbitrary code execution on the host environment.
  • [DATA_EXFILTRATION]: The AgentBuildTool is vulnerable to path traversal. The team parameter is used to construct filesystem paths (agents/{team}/{name}) without sanitization. By providing a team name like ../../, an attacker could cause the tool to create directories and write files (such as agent.yaml, tasks.json, and PROMPT.md) in unauthorized locations outside the workspace.
  • [PROMPT_INJECTION]: The tool constructs prompts for micro-agents by directly interpolating user-supplied fields such as role, goal, and custom_instructions into the PROMPT.md file. These fields are not sanitized, allowing an attacker to inject malicious system-level instructions into the created agents.
  • [PROMPT_INJECTION]: The micro-agents created by this tool are vulnerable to Indirect Prompt Injection. They are designed to ingest untrusted data from various sources (inbox messages, external files via data_sources, and teammate outputs) but the provided prompt templates (default.md, monitor.md, researcher.md) do not use any boundary markers or delimiters to isolate untrusted content from agent instructions.
  • Ingestion points: inbox.json, tasks.json, data_sources file paths, and JSON files in teammate output directories.
  • Boundary markers: Entirely absent; uses plain markdown headers for data sections.
  • Capability inventory: Micro-agents can invoke any platform tool, including bash, read_file, write_file, and sessions_spawn.
  • Sanitization: None; external data is read and concatenated directly into prompts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 12, 2026, 01:04 AM