Manus AI Agent Integration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). Evidence: Ingestion points include API responses and webhooks from Manus AI, which autonomously browses the web (SKILL.md). Boundary markers are absent in the provided templates. Capability inventory includes high-privilege 'Bash', 'Read', and 'Grep' tools. Sanitization is absent. This combination allows malicious instructions from websites visited by Manus AI to potentially execute local commands.
- External Downloads (MEDIUM): The skill requires the 'manus' and 'ai-delegate' CLI tools, which are non-standard and lack verifiable source links or integrity verification.
- Data Exfiltration (MEDIUM): Prompts, file attachments, and potentially sensitive data from OAuth-connected services (Gmail, Notion, Calendar) are sent to the external 'api.manus.ai' endpoint.
- Command Execution (MEDIUM): The skill encourages the use of Bash for interaction with third-party tools and the execution of a local Python Flask server for webhook processing, increasing the local attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata