squad-explore
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because the user-provided topic is directly interpolated into instructions for 'Explore' and 'Plan' subagents.
- Ingestion points: The
[topic]argument in the/squad-explorecommand (SKILL.md). - Boundary markers: The topic is placed within double quotes in subagent prompts, but no instructions are provided to ignore potentially malicious commands within that string.
- Capability inventory: The skill can read arbitrary codebase files (including configuration), spawn subagents, and execute shell commands via
curl. - Sanitization: There is no evidence of input validation or sanitization for the
<TOPIC>variable before it is used in subagent prompts. - [COMMAND_EXECUTION]: The skill uses shell commands (
curl,jq,bash) to interact with a task management system and process data. These commands are used to create, attach, and update tasks on a board. - [DATA_EXFILTRATION]: The skill performs network operations using
curlto send project information and exploration reports to an API endpoint defined by the$BASE_URLenvironment variable. It also reads project configuration files such aspackage.jsonandtsconfigto gather metadata for the reports.
Audit Metadata