execution-manager
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Potential for shell injection. The script interpolates variables like section names and branch names from 'meta.yaml' directly into 'git' and 'tmux' command strings. If these values are maliciously crafted, they could allow arbitrary command execution on the host system.
- [PROMPT_INJECTION] (LOW): Indirect prompt injection surface (Category 8). 1. Ingestion points: Metadata files ('meta.yaml'), error reports ('error-report.md'), and session logs ('tmux capture-pane'). 2. Boundary markers: None. Data is passed to sub-agents without delimiters or protective instructions. 3. Capability inventory: Shell command execution, git worktree manipulation, and AI agent orchestration via the 'claude' CLI. 4. Sanitization: None. External content is not sanitized before being used in logic or prompts.
- [COMMAND_EXECUTION] (MEDIUM): Vulnerable session interaction. The skill uses 'tmux send-keys' to inject text into background sessions. Since the injected content can be derived from untrusted session outputs or local files, it provides a vector for an attacker to hijack the sub-agent's shell.
Audit Metadata