fleet-ops
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/fleet.shuses theevalcommand to execute theTEST_CMDstring defined in the local configuration file.claude/fleet/config. This allows for arbitrary shell command execution during the landing process. - [COMMAND_EXECUTION]: The skill manages a background daemon process using
Bash(run_in_background: true)and implements signal trapping and PID file management to coordinate multiple sessions. - [COMMAND_EXECUTION]: The
initcommand performs automated modifications to the repository's.gitignorefile and may execute Git commits to track these changes automatically. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection attack surface.
- Ingestion points: The
scripts/signal.shscript reads and parses file content from user-provided paths (intended for test logs) to determine if a lane is "READY". - Boundary markers: None; the content of the log file is processed without delimiters to isolate it from the signaling logic.
- Capability inventory: The orchestrator script
scripts/fleet.shcan execute shell commands viaevaland perform high-impact Git operations likemerge,revert, andrebasebased on the signals. - Sanitization: Limited to basic keyword filtering (grep) for failure or error markers within the log files.
Audit Metadata