skills/coleam00/frontend-mix/archon/Gen Agent Trust Hub

archon

Fail

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md mandate the use of the IS_SANDBOX=1 environment variable. This is explicitly documented as a method to bypass Claude Code's internal safety restriction that prevents the --dangerously-skip-permissions flag from being used when the process is running as root.
  • [COMMAND_EXECUTION]: The skill uses dynamic context injection (!command) in SKILL.md to execute the command archon workflow list immediately when the skill is loaded by the agent. While used for discovery of workflows, this executes shell code at the moment of interaction.
  • [EXTERNAL_DOWNLOADS]: The guides/setup.md file contains instructions to download and execute the Bun installer script from https://bun.sh/install via curl | bash. Bun is a well-known and trusted development tool.
  • [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by processing external data.
  • Ingestion points: Untrusted data from issues and user messages enter the context via $ARGUMENTS and $nodeId.output in examples/dag-workflow.yaml and references/workflow-dag.md.
  • Boundary markers: Absent. The prompts do not use specific delimiters or instructions to ignore embedded commands within the processed data.
  • Capability inventory: The skill can execute shell scripts via bash: nodes and has significant filesystem access through the Archon CLI and Model Context Protocol (MCP) servers.
  • Sanitization: According to references/variables.md, $nodeId.output values are shell-quoted within bash: nodes to mitigate direct command injection, though this does not prevent logic-based indirect prompt injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 20, 2026, 11:39 PM
Security Audit — agent-trust-hub — archon