gm
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a custom
exec:<lang>protocol that instructs the agent to execute code in over ten different runtimes (Node.js, Python, Go, Rust, C++, etc.), creating a broad attack surface for arbitrary code execution beyond standard tool usage. - [REMOTE_CODE_EXECUTION]: Detailed instructions are provided for managing system-level background processes using PM2 (
gm-exec-runnerandgm-exec-task), allowing the agent to initiate and monitor persistent processes on the host machine. - [DATA_EXFILTRATION]: The skill explicitly directs the agent to perform direct file system operations using Node.js
require('fs')and manages shared state through a.prdfile on disk, which presents a risk of unauthorized data access or exposure. - [PROMPT_INJECTION]: The framing of the agent as a 'Root Orchestrator' that must 'think in state, not prose' and follow a rigid state-machine logic attempts to override the AI's default reasoning protocols and safety constraints.
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection exists through the ingestion of external data. 1. Ingestion points: Reads from
.prdfile and witnessed execution outputs (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: Arbitrary code execution in multiple languages, file system writing, and PM2 process management (SKILL.md). 4. Sanitization: No sanitization or validation of the ingested state data is mentioned.
Audit Metadata