guardian
Fail
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the CronCreate tool to establish a recurring background monitoring loop. This creates a persistence mechanism that allows the agent to run code autonomously every 5 minutes throughout the work session.
- [COMMAND_EXECUTION]: The instructions command the agent to use tmux send-keys with carriage return characters (C-m) to inject text and commands directly into the terminal panes of other agents. This allows one agent to take control of another's shell session.
- [PROMPT_INJECTION]: The skill includes a Self-Maintenance Rule which directs the agent to edit its own instruction file at runtime. This self-modifying capability can be used to bypass safety protocols or introduce malicious persistent instructions.
- [PROMPT_INJECTION]: The instructions contain high-priority Fundamental Rules that claim to override everything and specifically task the agent with auto-approving security-sensitive prompts such as permission dialogs on behalf of the user.
- [DATA_EXFILTRATION]: The skill grants the agent permission to read internal configuration files in ~/.claude/teams/ and capture terminal scrollback from multiple tmux panes, facilitating unauthorized exposure of sensitive agent state and user activity.
Recommendations
- AI detected serious security threats
Audit Metadata