swain-stage
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/swain-stage.shscript contains a suggested command for installing themicroeditor usingcurl https://getmic.ro | bashwhen the tool is not found. Whilegetmic.rois the official distribution site for this well-known editor, piping remote scripts directly into a shell is a security anti-pattern as it executes unverified code. - [COMMAND_EXECUTION]: The
scripts/swain-stage.shscript constructs and executes shell commands in tmux panes using values resolved fromswain.settings.jsonandreferences/layouts/*.json. Specifically, theeditorsetting is interpolated into shell commands without sanitization or shell escaping in thecmd_layoutandcmd_panefunctions. This creates a vulnerability surface where a malicious configuration file in a repository could trigger arbitrary command execution. Additionally,scripts/swain-motd.pyuses f-string interpolation for repository paths in shell commands, which could be problematic if paths contain shell meta-characters. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) where malicious configuration data in a repository can influence agent capabilities and lead to command execution.
- Ingestion points: The skill reads settings from
swain.settings.jsonand layout definitions from repository files. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when processing these settings.
- Capability inventory: The skill executes shell commands via
tmux split-windowacross multiple scripts. - Sanitization: No shell escaping or validation is applied to the
editorconfiguration string before it is passed to the shell.
Recommendations
- HIGH: Downloads and executes remote code from: https://getmic.ro - DO NOT USE without thorough review
Audit Metadata