agent-manager
Fail
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/install.shscript downloads code fromgithub.com/fractalmind-ai/agent-manager-skillusing bothgit cloneand theopenskillsutility. This downloads third-party code that is then executed on the host system. - [REMOTE_CODE_EXECUTION]: The skill allows the definition of arbitrary
launcherbinaries andlauncher_argsin agent configuration files. These commands are executed by the skill's Python scripts intmuxsessions, providing an interface for executing arbitrary commands. - [COMMAND_EXECUTION]: The skill documentation and sample configurations in
setup.shexplicitly use and recommend the--dangerously-skip-permissionsflag for the Claude Code launcher. This flag bypasses interactive security prompts for tool use, significantly increasing the risk of automated malicious actions. - [PERSISTENCE]: The
schedule syncandheartbeat synccommands modify the user'scrontabto schedule recurring tasks. This establishes a persistence mechanism that can run arbitrary commands at defined intervals across system reboots. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from project files and injects it into agent sessions.
- Ingestion points: Configuration and instruction data are read from
agents/*.mdandHEARTBEAT.md. - Boundary markers: Absent. The skill passes descriptions, tasks, and heartbeat instructions directly to agent sessions without delimiters or ignore-instructions warnings.
- Capability inventory: The skill possesses capabilities for shell command execution, file system interaction, and modification of system persistence (crontab).
- Sanitization: None. Input from repository files is used in shell commands and session messages without validation or sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata