agent-manager-skill
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to clone an external repository from a source that is not listed as a trusted vendor (github.com/fractalmind-ai/agent-manager-skill.git).
- [REMOTE_CODE_EXECUTION]: The instructions command the execution of Python scripts (main.py) directly from the newly cloned untrusted repository, facilitating arbitrary code execution on the local system.
- [COMMAND_EXECUTION]: The skill uses tmux and subprocess execution to manage agent sessions, start/stop processes, and monitor logs, which grants the downloaded scripts significant control over the local environment.
- [PROMPT_INJECTION]: The 'assign' command utilizes a heredoc (<<'EOF') to input instructions into the manager script. This represents an indirect prompt injection surface where untrusted data could influence agent behavior or script execution logic. Evidence chain: 1. Ingestion point: command-line heredoc. 2. Boundary markers: None identified. 3. Capability inventory: Python script execution and tmux process management. 4. Sanitization: No evidence of input validation or escaping for the assigned tasks.
Recommendations
- AI detected serious security threats
Audit Metadata