agent-messaging
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The installation process involves cloning an untrusted repository (23blocks-OS/ai-maestro-plugins) and running a shell script (install-messaging.sh). This is a high-risk remote code execution vector as the source organization is not in the trusted list.- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes several custom CLI commands (amp-send, amp-read, amp-init) which are installed to the local system and executed by the agent outside of a restricted sandbox.- [DATA_EXFILTRATION] (MEDIUM): The amp-send command allows sending messages to external domains (e.g., crabmail.ai) with file attachments via the --attach flag, enabling potential exfiltration of sensitive local data.- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection through the amp-read and amp-inbox commands which bring untrusted external data into the agent context. 1. Ingestion points: amp-read fetches external message content. 2. Boundary markers: Absent. 3. Capability inventory: Shell execution and file access. 4. Sanitization: None specified.
Recommendations
- AI detected serious security threats
Audit Metadata