assign-agent
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): Information exposure of local system structure. The skill hardcodes absolute paths referencing a specific user profile ('/Users/robertsale/') which leaks the host username and local directory configuration.
- [DATA_EXFILTRATION] (LOW): Leakage of session metadata. The 'Assignment prompt template' instructs the agent to post the 'CODEX_THREAD_ID' to GitHub issue comments. While these are session IDs, publishing them to public platforms can leak session history markers.
- [COMMAND_EXECUTION] (MEDIUM): Dynamic shell command injection via tmux. The 'codex-tmux' script uses 'tmux send-keys' to execute a command string built from the 'INITIAL_PROMPT'. Although 'printf %q' is used for escaping, launching an automated shell session with prompt content derived from external GitHub issues creates an execution surface for malicious instructions.
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection vulnerability surface. The skill is designed to ingest data from external GitHub issues and pass them to worker agents with high-privilege capabilities.
- Ingestion points: The 'INITIAL_PROMPT' argument in 'codex-tmux' and the 'assignment prompt' in 'SKILL.md'.
- Boundary markers: Absent. The prompt template does not use delimiters or instructions to ignore embedded commands in the issue context.
- Capability inventory: Sub-agents (workers) can execute shell commands, manage git worktrees, and modify files.
- Sanitization: Basic shell escaping is used for the launch string, but no semantic sanitization or filtering is performed on the prompt content.
Audit Metadata