agent-cli-delegation-operations
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the
--dangerously-bypass-approvals-and-sandboxflag for the Codex CLI tool. This flag explicitly disables sandbox protections for subagent execution, which the skill recommends as a workaround for specific environmental failures (e.g., loopback errors). - [COMMAND_EXECUTION]: The skill defines a "Worker Patch Loop" pattern that directs subagents to directly modify and patch their own instruction files (
.md) or policy files. This self-modifying behavior can be used to persistently alter agent logic and behavior across sessions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its data-handling patterns:
- Ingestion points: The skill reads untrusted content from GitHub issues (
gh issue view) and repository logs (git log) to drive delegation decisions. - Boundary markers: The instructions do not specify the use of boundary markers or protective delimiters when processing or delegating untrusted external data.
- Capability inventory: The agent possesses high-privilege capabilities, including arbitrary command execution via
terminaland the ability to launch subagents with bypassed security sandboxes. - Sanitization: There is no requirement for sanitization or validation of content retrieved from external sources before it is interpolated into agent prompts or subagent goals.
- [COMMAND_EXECUTION]: The skill provides instructions for manual process termination using the
killcommand based on process IDs (PIDs). While intended for recovering stalled runs, this capability could be misapplied if process identification logic is compromised.
Audit Metadata