agent-builder
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): Templates in
scripts/init_agent.pyandreferences/minimal-agent.pyimplement a 'bash' tool usingsubprocess.run(shell=True). The Level 0 scaffold performs no command filtering, allowing arbitrary shell execution. Level 1 andtool-templates.pyuse a trivial string blacklist (blocking 'sudo', 'rm -rf /') that is easily bypassed with command substitution or alternative shell syntax. - REMOTE_CODE_EXECUTION (HIGH): By design, the skill facilitates RCE by creating agents that execute shell commands provided by the AI model. Since these agents ingest user input directly into their reasoning loop, an attacker can manipulate the agent into executing malicious code.
- DATA_EXFILTRATION (MEDIUM): The 'read_file' and 'bash' tools allow access to sensitive environment files and workspace data. In the absence of egress filtering or path sanitization, an agent could be coerced into reading and transmitting sensitive credentials or source code.
- PROMPT_INJECTION (LOW): The skill's philosophy of 'getting out of the way' results in an architecture that lacks boundary markers or defensive system instructions. This makes agents highly susceptible to indirect prompt injection, where malicious instructions in processed files can override the agent's intended behavior. Evidence Chain: (1) Ingestion point: user input loop in generated scripts; (2) Boundary markers: absent in templates; (3) Capability inventory: bash, write_file; (4) Sanitization: minimal string blacklist.
Recommendations
- AI detected serious security threats
Audit Metadata