nexus
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is built to execute and manage sub-agent sessions and system commands (e.g., git status, log) through platform-specific tools like
Agentandspawn_agentacross various execution layers. - [COMMAND_EXECUTION]: Instructions throughout the skill (SKILL.md,
references/execution-phases.md,references/orchestration-patterns.md) mandate the use ofmode: bypassPermissions. This setting allows sub-agents to perform tool operations without the standard user confirmation prompts, reducing oversight of potentially sensitive actions. - [PROMPT_INJECTION]: As a meta-orchestrator, the skill has a significant attack surface for indirect prompt injection (Category 8). It processes untrusted user input and project data, which is then decomposed and passed as context to other specialist agents. The skill lacks explicit sanitization or filtering logic for these interpolated prompts, relying instead on its internal guardrail system (L1-L4) to detect failures after they occur.
- Ingestion points: User requests and project-state data (SKILL.md,
references/proactive-mode.md). - Boundary markers: Uses structured
_STEP_COMPLETEandNEXUS_HANDOFFblocks to delimit agent communications, which provides some structure but does not prevent malicious instruction propagation. - Capability inventory: Extensive capability to read/write files and execute tools via the
Agenttool and shell commands across multiple scripts. - Sanitization: No evidence of input sanitization or escaping before passing context to sub-agents.
Audit Metadata