kage-bunshin
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto callgit,tmux, andclaudebinaries to automate the creation of git worktrees and the management of persistent interactive sessions. - [PROMPT_INJECTION]: The
spawn.pyscript is configured to launch sessions with the--dangerously-skip-permissionsflag, which bypasses standard interactive user confirmation for tool execution within those sessions. - [PROMPT_INJECTION]: The monitoring functionality in
monitor.pypresents an indirect prompt injection surface where content from a child session can manipulate the orchestrator. - Ingestion points: Terminal output captured from tmux panes in
scripts/monitor.py. - Boundary markers: None; the script parses raw terminal output using regex patterns.
- Capability inventory: The skill provides full control to send arbitrary keyboard input to child sessions and read their entire screen content.
- Sanitization: The detection of interactive states (e.g.,
AskUserQuestion) relies on regex matching that can be triggered or spoofed by content printed to the terminal within the child session.
Audit Metadata