using-agent-relay
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides tools like
mcp__relaycast__agent_addandmcp__relaycast__command_invokewhich allow the agent to spawn external CLI processes (e.g., aider, goose, claude) and execute arbitrary registered commands. - [CREDENTIALS_UNSAFE]: The tool
mcp__relaycast__workspace_set_keyis used to programmatically set and manage workspace API keys, which presents a risk of sensitive credential exposure or unauthorized configuration changes. - [PROMPT_INJECTION]: The skill's core functionality of inter-agent messaging creates a significant surface for indirect prompt injection.
- Ingestion points: Tools such as
mcp__relaycast__dm_get,mcp__relaycast__message_get, andmcp__relaycast__inbox_checkin SKILL.md ingest content from other agents. - Boundary markers: None; messages are processed as raw strings, and there are no instructions provided to the agent to treat this data as untrusted or to ignore embedded commands.
- Capability inventory: The skill has access to powerful tools including process spawning (
mcp__relaycast__agent_add), command execution (mcp__relaycast__command_invoke), and file uploads (mcp__relaycast__file_upload). - Sanitization: No content sanitization or validation mechanisms are described for incoming messages.
- [DATA_EXFILTRATION]: The inclusion of webhook tools (
mcp__relaycast__webhook_createandmcp__relaycast__webhook_trigger) allows for the creation of arbitrary network egress points which could be exploited to exfiltrate sensitive data.
Audit Metadata