user-proxy
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's global rules (AGENTS.md) explicitly permit high-privilege operations, including the use of sudo for elevated tasks and the execution of PowerShell system commands. It also mandates the execution of the
compose-agentsmdcommand before responding to any user message. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of several global npm packages from the vendor's scope, including
compose-agentsmd,@metyatech/task-tracker, and@metyatech/thread-inbox. It also pulls configuration and rules directly from a remote GitHub repository (metyatech/agent-rules). - [PROMPT_INJECTION]: The skill is designed to evaluate and approve plans or outputs generated by other agents, creating an indirect prompt injection vulnerability where malicious instructions in the reviewed content could influence the proxy's behavior.
- Ingestion points: Processes plans, work output, and completion claims from other agents as specified in SKILL.md.
- Boundary markers: No explicit delimiters or instructions to treat reviewed content as data rather than instructions are provided.
- Capability inventory: Access to high-privilege commands (sudo), package management (npm), and version control (gh CLI).
- Sanitization: No evidence of sanitization, validation, or filtering of the content being reviewed.
Audit Metadata