port-daddy

Pass

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides multiple mechanisms to execute shell commands as part of its coordination workflow. Tools such as pd watch --exec, pd with-lock, and the 'fleet' background agent system are designed to run local scripts or commands in response to events like git commits or pub/sub messages.
  • [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by allowing agents to share data (notes, tuples, and pheromones) that is subsequently ingested by other agents. This creates a vector where malicious or compromised agents could influence the behavior of others.
  • Ingestion points: Agents ingest data from shared sources via pd sitrep, pd notes, pd salvage, pd pheromone sniff, and pd tuple rd (as seen in SKILL.md and schemas/mcp-tool-catalog.md).
  • Boundary markers: The instructions do not specify or recommend the use of delimiters or 'ignore' instructions when processing data originated from other agents.
  • Capability inventory: The skill possesses significant capabilities including arbitrary command execution (pd watch), background agent spawning (pd spawn), and the installation of git hooks (pd fleet init).
  • Sanitization: There is no evidence of sanitization, validation, or filtering of the content within notes or tuples before they are presented to or processed by other agents.
  • [EXTERNAL_DOWNLOADS]: The architecture.html file fetches the Mermaid.js library from the well-known cdn.jsdelivr.net service. This is used neutrally to render architectural diagrams within the provided documentation and follows established safe practices for documentation assets.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 12, 2026, 10:46 PM
Security Audit — agent-trust-hub — port-daddy