agentmesh-governance
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Command Argument Interpolation: Several scripts, including check-policy.sh, verify-identity.sh, and audit-log.sh, pass shell variables directly into Python code strings. This pattern is a security consideration because input containing shell or Python delimiters could be used to execute unintended code. Evidence: In scripts/check-policy.sh, the line 'action = "$ACTION"' allows any value in the --action argument to be interpreted as Python code if it contains single quotes.
- Third-Party Dependency Source: The setup instructions in SKILL.md suggest installing a core dependency from a personal GitHub repository if the package is not found on the official registry. This introduces a dependency on a source outside of the primary vendor's organizational control. Evidence: The command pip install 'agentmesh @ git+https://github.com/imran-siddique/agent-mesh.git' points to a repository outside of the official vendor's organization.
Audit Metadata