manager
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a persistent 'manager' role that takes over the agent's behavior for the entire session. It also presents an indirect prompt injection surface by delegating work to sub-agents using templates that interpolate untrusted data.
- Ingestion points: User task descriptions and sub-agent execution reports are ingested as context for new agent dispatches.
- Boundary markers: The templates use plain text headers (e.g., 'Original requirements:') but lack formal delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can spawn background processes (
agents-mcp), execute shell commands, and interact with the GitHub API. - Sanitization: No explicit sanitization is performed on user or sub-agent content before interpolation.
- [EXTERNAL_DOWNLOADS]: The skill instructions (README.md and AGENTS.md) direct the installation of several external tools, including
agents-mcp,compose-agentsmd,@metyatech/task-tracker, and@metyatech/thread-inbox. These are hosted on NPM or GitHub and originate from the author's namespace. - [COMMAND_EXECUTION]: The skill frequently executes CLI tools such as
git,gh,npm, andnpxfor orchestration. It also provides specific PowerShell scripts to bypass local policy restrictions on file deletion. - [DATA_EXFILTRATION]: The skill is designed to automate repository management, including committing, pushing to remote repositories, and creating GitHub releases, which involves sending project code and metadata to external servers.
Audit Metadata