hosted-agents
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The infrastructure patterns in
references/infrastructure-patterns.mdandscripts/sandbox_manager.pydemonstrate unsafe shell command execution. Specifically, user-supplied identity data (name and email) is directly interpolated into shell commands viaos.systemandexecute_commandwithout sanitization. This allows a malicious user to execute arbitrary shell commands inside the sandbox by providing a crafted username or email string. - Evidence in
references/infrastructure-patterns.md:os.system(f'git config user.name "{user_identity["name"]}"')andos.system(f'git config user.email "{user_identity["email"]}"'). - Evidence in
scripts/sandbox_manager.py:await sandbox.execute_command(f'git config user.name "{user.name}"'). - [PROMPT_INJECTION]: The
classify_repositoryfunction inreferences/infrastructure-patterns.mdcreates a surface for indirect prompt injection. It takes raw user messages and interpolates them directly into an LLM prompt used to determine the target repository, without any boundary markers or escaping. - Ingestion points: The
messageparameter inclassify_repository(found inreferences/infrastructure-patterns.md). - Boundary markers: Absent; the raw user input is placed directly into a multi-line f-string prompt template.
- Capability inventory: The classification result influences the target environment where the agent session is initialized, potentially allowing an attacker to redirect the agent to an unauthorized repository.
- Sanitization: Absent; the code does not perform any validation or escaping of the user-provided message.
Audit Metadata