agent-council
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (CRITICAL): An automated scanner (URLite) confirmed a blacklisted URL in the requirements documentation. This indicates the skill references known malicious infrastructure or distribution points.\n- [COMMAND_EXECUTION] (HIGH): The worker script
scripts/council-job-worker.jsuseschild_process.spawnto execute commands defined incouncil.config.yaml. This allows the execution of any system binary if the configuration is modified or if the agent is persuaded to add malicious members to the council.\n- [DATA_EXFILTRATION] (HIGH): Subprocesses are spawned withenv: process.env, providing the external AI CLI tools with full access to the host agent's environment variables. This poses a high risk of leaking sensitive API keys, session tokens, and local configuration secrets to external providers.\n- [INDIRECT PROMPT INJECTION] (LOW): The skill accepts unsanitized user input and pipes it directly into the arguments of external processes, creating a surface for prompt injection attacks targeting the member AI CLIs.\n - Ingestion points: User-provided question in
council.sh.\n - Boundary markers: None; input is passed as a raw string argument.\n
- Capability inventory: Subprocess spawning and environment access.\n
- Sanitization: None; input is appended directly to the command-line arguments without escaping or filtering.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata