neo-team-claude
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the System Analyzer agent to automatically read sensitive environment configuration files (e.g.,
.env.sit,.env.uat,.env.prod) to retrieve credentials and configuration for database and infrastructure access. This pattern facilitates the exposure of sensitive credentials to the AI model. - [COMMAND_EXECUTION]: Specialist agents are granted the capability to execute high-privilege system commands via the Bash tool. This includes performing Kubernetes operations (
kubectl), executing database queries (psql), managing containers (docker), and monitoring deployments (argocd) as documented in the system-analyzer-cli-tools reference. - [PROMPT_INJECTION]: The orchestration framework presents a significant surface for indirect prompt injection.
- Ingestion points: Untrusted data is ingested from various sources including user requests, pull request diffs (in workflows.md), system logs, and database query results (in system-analyzer.md).
- Boundary markers: Prompts lack explicit delimiters or instructions to ignore embedded commands in processed data, relying only on markdown headers.
- Capability inventory: Sub-agents have extensive capabilities including Bash, Edit, Write, and the ability to spawn further agents via the Agent tool.
- Sanitization: There is no evidence of sanitization or filtering of external content before interpolation into sub-agent prompts.
Audit Metadata