messaging
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by automatically delivering messages from other agents into the active conversation history.
- Ingestion points: Messages are read from JSON files located at
~/.claude/teams/{team}/inboxes/{agent}.json. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are described; messages appear as normal conversation turns.
- Capability inventory: The messaging system allows agents to influence teammate states through shutdown requests, plan approvals, and direct messaging.
- Sanitization: There is no evidence of input validation or content filtering for the
contentortextfields of the messages.
Audit Metadata