Skills
skills/lidessen/moniro/agent-worker/Gen Agent Trust Hub

agent-worker

Fail

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The setup phase in YAML workflow definitions allows for the execution of arbitrary shell commands. Commands such as git log or cat config.json are run with the user's privileges, which can be exploited to execute malicious system-level operations if a workflow configuration is untrusted.
  • [REMOTE_CODE_EXECUTION]: The skill supports dynamic tool loading through the --tool CLI argument and YAML tools definitions. This allows for the importation and execution of arbitrary TypeScript or JavaScript code from local files, providing a mechanism for unauthorized code execution.
  • [CREDENTIALS_UNSAFE]: The variable interpolation system allows environment variables (${{ env.VAR }}) to be directly embedded into prompts and kickoff messages. This creates a risk of exposing sensitive secrets, such as API keys or access tokens, to the LLM backend or other agents in a multi-agent environment.
  • [DATA_EXFILTRATION]: The combination of shell command execution in the setup phase and the ability to pass the resulting output to the LLM provides a direct path for reading sensitive local files and sending their contents to external model providers.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design. 1. Ingestion points: Untrusted external data from shell outputs (e.g., git diff) and shared documents are ingested into the prompt context. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present during interpolation. 3. Capability inventory: The skill possesses significant system-level capabilities including shell access and file writing. 4. Sanitization: There is no evidence of validation or filtering of external content before it is interpolated into agent instructions.
  • [COMMAND_EXECUTION]: The agent-worker schedule command facilitates the creation of periodic tasks via cron or interval schedules. While intended for monitoring, this capability could be abused to maintain persistent execution of malicious commands within the agent framework.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 7, 2026, 04:49 PM