autonomous-dispatcher
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Executes several local shell scripts and binaries to manage the dispatching process. It sources 'scripts/gh-app-token.sh' for authentication and executes 'scripts/dispatch-local.sh' to spawn background tasks. It also utilizes the 'gh' (GitHub CLI) and 'jq' binaries for data manipulation and schedules a persistent cron job using the 'openclaw' command.
- [CREDENTIALS_UNSAFE]: Accesses a private key PEM file via the 'DISPATCHER_APP_PEM' environment variable to generate authentication tokens for GitHub API interactions.
- [DATA_EXFILTRATION]: Performs extensive network operations with the GitHub API to fetch issue titles, bodies, and comments. While GitHub is a trusted service, the ingestion of this untrusted content creates a significant attack surface.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection due to parsing data from GitHub. (1) Ingestion points: Reads issue bodies and comments via 'gh issue view'. (2) Boundary markers: No delimiters are used to separate untrusted content from internal logic. (3) Capability inventory: Executes local scripts via 'bash', modifies issue state via 'gh', and checks process status via 'kill'. (4) Sanitization: Implements basic regex validation for session IDs and dependency numbers.
Audit Metadata