agenthub

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script result_ranker.py utilizes subprocess.run with shell=True to execute evaluation commands (e.g., tests or benchmarks) defined in the session configuration. This allows for arbitrary command execution within the agent's worktree environment if the configuration is influenced by malicious input.
  • [COMMAND_EXECUTION]: Several management scripts (dag_analyzer.py, session_manager.py, result_ranker.py) execute shell-based git commands via subprocesses to manage branches, worktrees, and history.
  • [PROMPT_INJECTION]: The skill's fan-out architecture creates a surface for indirect prompt injection. The coordinator agent ingests repository diffs and agent result summaries from the filesystem (.agenthub/board/results/). Since sub-agents work on untrusted repository data, a malicious file could potentially influence a sub-agent's output to deceive the coordinator's evaluation process or merge decision.
  • [PROMPT_INJECTION]: The sub-agent templates in references/agent-templates.md lack boundary markers or sanitization for interpolated data such as the task description and repository content, making the agents more likely to follow instructions embedded within the files they are analyzing.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 02:06 AM
Security Audit — agent-trust-hub — agenthub