agent-worker
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow configuration supports a 'setup' phase that executes arbitrary shell commands on the local system (e.g., 'git log', 'gh pr diff', 'cat config.json'). These commands run with the user's local privileges to gather data for the agent session.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its setup and kickoff pipeline. * Ingestion points: Data is ingested from external sources via 'shell' commands in the YAML 'setup' block (e.g., in SKILL.md and reference/workflow.md). * Boundary markers: No explicit delimiters or 'ignore' instructions are used when interpolating external data into the 'kickoff' prompt. * Capability inventory: Agents can execute subprocesses, write to shared workspace documents, and interact with external AI providers. * Sanitization: Ingested shell output is interpolated directly into prompts using the '${{ variable }}' syntax without filtering or validation.
- [COMMAND_EXECUTION]: The 'agent-worker schedule' functionality enables background persistence by triggering agent sessions at defined intervals or via cron expressions. This facilitates automated, non-interactive execution of prompts and tool calls.
- [COMMAND_EXECUTION]: The skill allows the inclusion of external logic via the '--tool' parameter, which dynamically loads and executes local TypeScript files as agent capabilities.
Audit Metadata