amq-cli
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches an installation script from the author's official GitHub repository (avivsinai/agent-message-queue).
- [REMOTE_CODE_EXECUTION]: Executes the downloaded installation script via a shell pipe (curl | bash) as part of the prerequisite setup.
- [PROMPT_INJECTION]: Instructions in the 'Quick Start' section encourage agents to use flags such as
--dangerously-skip-permissionsand--dangerously-bypass-approvals-and-sandbox, which are designed to override tool-internal security constraints. - [PROMPT_INJECTION]: The skill processes external data (inter-agent messages) which introduces a surface for indirect prompt injection.
- Ingestion points: Messages are read from the mailbox directory via
amq drain,amq list, andamq read(SKILL.md, references/coop-mode.md). - Boundary markers: The CLI implements strict header validation and moves malformed messages to a Dead Letter Queue (DLQ) (references/coop-mode.md).
- Capability inventory: Capabilities include executing
amqcommands, modifying project files likeWORKFLOW.mdviasymphony init, and running shell-based statusline scripts (SKILL.md, references/integrations.md). - Sanitization: Relies on the underlying CLI's header validation and RFC3339 timestamp checks (references/message-format.md).
- [COMMAND_EXECUTION]: Provides shell script snippets for terminal integration, including statusline updates and tab title manipulation using ANSI escape sequences.
- [COMMAND_EXECUTION]: Includes the
amq integration symphony initcommand which modifies local project files (WORKFLOW.md).
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/avivsinai/agent-message-queue/main/scripts/install.sh - DO NOT USE without thorough review
Audit Metadata