agenthub
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
result_ranker.pyutilizessubprocess.runwithshell=Trueto execute evaluation commands (e.g., tests or benchmarks) defined in the session configuration. This allows for arbitrary command execution within the agent's worktree environment if the configuration is influenced by malicious input. - [COMMAND_EXECUTION]: Several management scripts (
dag_analyzer.py,session_manager.py,result_ranker.py) execute shell-basedgitcommands via subprocesses to manage branches, worktrees, and history. - [PROMPT_INJECTION]: The skill's fan-out architecture creates a surface for indirect prompt injection. The coordinator agent ingests repository diffs and agent result summaries from the filesystem (
.agenthub/board/results/). Since sub-agents work on untrusted repository data, a malicious file could potentially influence a sub-agent's output to deceive the coordinator's evaluation process or merge decision. - [PROMPT_INJECTION]: The sub-agent templates in
references/agent-templates.mdlack boundary markers or sanitization for interpolated data such as the task description and repository content, making the agents more likely to follow instructions embedded within the files they are analyzing.
Audit Metadata