archon
Fail
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill instructions in
SKILL.mdmandate the use of theIS_SANDBOX=1environment variable. This is explicitly documented as a method to bypass Claude Code's internal safety restriction that prevents the--dangerously-skip-permissionsflag from being used when the process is running as root. - [COMMAND_EXECUTION]: The skill uses dynamic context injection (
!command) inSKILL.mdto execute the commandarchon workflow listimmediately when the skill is loaded by the agent. While used for discovery of workflows, this executes shell code at the moment of interaction. - [EXTERNAL_DOWNLOADS]: The
guides/setup.mdfile contains instructions to download and execute the Bun installer script fromhttps://bun.sh/installviacurl | bash. Bun is a well-known and trusted development tool. - [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by processing external data.
- Ingestion points: Untrusted data from issues and user messages enter the context via
$ARGUMENTSand$nodeId.outputinexamples/dag-workflow.yamlandreferences/workflow-dag.md. - Boundary markers: Absent. The prompts do not use specific delimiters or instructions to ignore embedded commands within the processed data.
- Capability inventory: The skill can execute shell scripts via
bash:nodes and has significant filesystem access through the Archon CLI and Model Context Protocol (MCP) servers. - Sanitization: According to
references/variables.md,$nodeId.outputvalues are shell-quoted withinbash:nodes to mitigate direct command injection, though this does not prevent logic-based indirect prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata