team-management
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill enables the spawning of persistent background agents using the Task() tool. These agents are capable of executing arbitrary logic and commands based on user-provided prompts, potentially operating without direct supervision for extended periods.
- [COMMAND_EXECUTION]: The permissions model dictates that teammates inherit the leader's security settings. If the leader is running with the '--dangerously-skip-permissions' flag, all spawned teammates will also bypass human-in-the-loop approvals. This significantly increases the risk of automated, destructive actions if any agent in the team receives malicious or erroneous instructions.
- [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection due to its collaborative nature. Agents read from a shared task list and inter-agent inboxes stored as JSON files on the local filesystem.
- Ingestion points: Teammates ingest data from files located in '
/.claude/tasks/' and '/.claude/teams/*/inboxes/'. - Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions to separate agent logic from untrusted task data.
- Capability inventory: Teammates have the capability to execute tasks, analyze codebases, and communicate with other agents, often running in the background.
- Sanitization: There is no evidence of sanitization, validation, or escaping of the content exchanged via the inbox or task systems.
Recommendations
- AI detected serious security threats
Audit Metadata