phantom-ai-coworker
Fail
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
child_process.execto run arbitrary shell commands on its host environment, including provisioning Docker containers and managing file systems. - [COMMAND_EXECUTION]: The provided
docker-compose.yamlconfiguration mounts the host's Docker socket (/var/run/docker.sock) into the container. This configuration allows the agent process to potentially escape the container environment and gain root access to the host machine. - [REMOTE_CODE_EXECUTION]: The skill dynamically generates and registers new MCP tools at runtime based on agent observations and stored memory.
- [EXTERNAL_DOWNLOADS]: Fetches setup scripts and configuration templates from the official GitHub repository (
github.com/ghostwright/phantom) during the installation process. - [CREDENTIALS_UNSAFE]: Manages multiple highly sensitive credentials in a
.envfile, including Anthropic API keys, Slack bot tokens, and email service keys. - [PROMPT_INJECTION]: Exhibits a high vulnerability to indirect prompt injection. It ingests untrusted data from Slack messages, emails, and webhooks (SKILL.md) which are then interpolated into a system prompt without boundary markers or sanitization. This is processed by an agent with extensive capabilities including shell command execution, Docker container management, and file system access.
- [DATA_EXFILTRATION]: The agent possesses the capability to read local files and send data to external endpoints via Slack, Email, and Webhook channels.
Recommendations
- AI detected serious security threats
Audit Metadata