agent-manager-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS/REMOTE_CODE_EXECUTION] (HIGH): The skill instructs users to clone a repository from an untrusted GitHub source (github.com/fractalmind-ai/agent-manager-skill) and execute Python scripts from that repository. This pattern facilitates the execution of unverified third-party code on the host machine.\n- [COMMAND_EXECUTION] (HIGH): The core functionality revolves around managing subprocesses via tmux. The
assigncommand uses a heredoc (EOF) to ingest multi-line instructions, which creates a significant attack surface for command injection if the input is not strictly sanitized before being processed by the underlying scripts.\n- [Indirect Prompt Injection] (HIGH):\n - Ingestion points: Untrusted task instructions are ingested through the
assigncommand in SKILL.md.\n - Boundary markers: None identified; instructions are passed directly via heredoc.\n
- Capability inventory: The skill is capable of starting, monitoring, and managing CLI agents in background sessions.\n
- Sanitization: No evidence of sanitization for the instructions passed to the agents.\n- [Persistence Mechanisms] (MEDIUM): The skill explicitly mentions 'cron-friendly scheduling', which is a mechanism used to ensure tasks or scripts persist and run automatically across sessions or reboots.
Recommendations
- AI detected serious security threats
Audit Metadata