worker-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): In
scripts/spawn.sh, the skill executes the Claude CLI with the--dangerously-skip-permissionsflag. This flag explicitly bypasses safety guardrails and permission prompts, granting the sub-agent unrestricted access to the local filesystem and terminal without user oversight. - COMMAND_EXECUTION (HIGH): The
spawn.shscript usestmux send-keysto pipe the{task}variable directly into a terminal session. Because the input is not escaped or sanitized, an attacker can provide a crafted task string (e.g., using quotes or semicolons) to execute arbitrary shell commands on the host machine. - PROMPT_INJECTION (LOW): The skill is highly vulnerable to Indirect Prompt Injection in
scripts/collect.sh. - Ingestion points: Reads content from
.worker-result.mdcreated by sub-workers. - Boundary markers: Absent. The content is echoed directly into the agent's context without delimiters.
- Capability inventory: The orchestrator has the ability to spawn/kill sessions and write to the filesystem via the Claude CLI.
- Sanitization: Absent. No filtering is performed on the worker's output before it is read by the main agent.
- REMOTE_CODE_EXECUTION (HIGH): The combined use of permissive CLI flags and raw command injection via tmux allows the skill to be used as a proxy for executing arbitrary code remotely if the task input is controlled by an external or untrusted source.
Recommendations
- AI detected serious security threats
Audit Metadata