agent-manager-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires cloning a repository from an untrusted source (github.com/fractalmind-ai/agent-manager-skill.git) that is not part of the established trust scope.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes downloaded scripts (python3 agent-manager/scripts/main.py) directly from the cloned repository. This download-then-execute pattern allows for execution of arbitrary code from an unverified source.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on tmux and python3 to spawn and manage local processes and interact with system utilities.
- [Persistence Mechanisms] (HIGH): The skill explicitly claims cron-friendly scheduling, which involves modifying system crontabs to maintain recurring access and execution.
- [Indirect Prompt Injection] (HIGH): The 'assign' command creates a vulnerability surface by passing untrusted instructions to agents with process control capabilities.
- Ingestion points: Task strings passed via heredoc to the assign command.
- Boundary markers: Absent; instructions are interpolated directly into the manager's context.
- Capability inventory: Full process management via tmux, file log monitoring, and system scheduling via cron.
- Sanitization: No evidence of input validation or sanitization before passing tasks to agents.
Recommendations
- AI detected serious security threats
Audit Metadata