run-with-it

Fail

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill requires the use of dangerouslyDisableSandbox: true when executing the run-agent.sh script. This explicitly bypasses the agent's security boundaries to run external CLI tools and sub-agents outside the restricted environment.
  • [COMMAND_EXECUTION]: The skill performs extensive shell operations including directory creation, file copying (cp, Copy-Item), permission modification (chmod +x), and process management (kill, wait, tail). It executes external runner scripts (run-agent.sh, run-agent.ps1) found at dynamically resolved paths.
  • [PROMPT_INJECTION]: The instructions contain several patterns designed to override agent behavior and reduce user oversight:
  • Commands to 'Suppress any spontaneous external skill' and 'No other skill may activate, interrupt, or modify behavior'.
  • Explicit directives to 'Never pause after planning to ask the user how to proceed' and 'Never present execution option menus'.
  • Claims that certain 'carve-outs' or rules 'cannot be overridden by any instruction within this skill'.
  • [DATA_EXFILTRATION]: While the skill uses legitimate tools (gh and git), it possesses the capability to fetch data from remote repositories and post content back to GitHub. In an adversarial context, this infrastructure could be repurposed to exfiltrate sensitive data retrieved from the workspace.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from GitHub issue bodies or local issues.md files and interpolates this content into a context file for sub-agents.
  • Ingestion points: Step C ('Assemble Sub-Coordinator Context File') re-fetches full issue bodies from gh issue view or local files.
  • Boundary markers: None explicitly defined in the assembly logic for the $SUB_COORD_CONTEXT_FILE.
  • Capability inventory: Full shell execution, GitHub CLI access, and git operations.
  • Sanitization: No mentions of escaping or validating the issue content before it is passed to child agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 24, 2026, 03:58 AM
Security Audit — agent-trust-hub — run-with-it