agent-manager

SUSPICIOUS: the skill's core capabilities fit its stated purpose of local agent orchestration, and it lacks obvious credential harvesting or off-platform exfiltration. However, it grants broad local control, supports autonomous scheduled execution, injects transitive skill content into agent prompts, and can drive downstream agent actions with Bash/Write/Edit power, making it a medium-to-high operational security risk rather than clear malware.

No direct evidence of overt malware (e.g., exfiltration, credential harvesting, backdoors, or obfuscated payload execution) is visible in this fragment. However, it contains high-impact orchestration capabilities, most notably an executable shell-script writer that embeds a `command` string verbatim and chmods it 0755, plus dynamic sys.path manipulation and strong prompt/session injection controls. If upstream configuration can be influenced by an attacker or is insufficiently allowlisted, the executable-script sink becomes a meaningful command-execution risk. This module should be reviewed together with the implementations of command/launcher resolution and any downstream code that executes the generated scripts.