implement
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): Ingestion point: mcp__mcp-agent-mail__fetch_inbox in references/distributed-mode.md. Boundary markers: None identified. Capability inventory: Includes bd CLI for issue state updates and general file system implementation tasks. Sanitization: None identified. Risk: External GUIDANCE or HELP_RESPONSE messages can override agent logic and steer behavior.
- Command Execution (MEDIUM): Found in scripts/validate.sh. The script uses eval to run validation checks. While currently static, this pattern is inherently risky and can lead to arbitrary code execution if inputs were to become dynamic.
- Data Exfiltration (LOW): Uses mcp__mcp-agent-mail__send_message to transmit metadata like commit SHAs, file lists, and status updates to external orchestrator identities.
Recommendations
- AI detected serious security threats
Audit Metadata