skills/kashyab12/uni-pstack/arena/Gen Agent Trust Hub

arena

Warn

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill explicitly directs the agent to execute the spawn-codex-worker script and use direct codex exec to launch background CLI workers.
  • [PROMPT_INJECTION]: The instructions mandate overriding default agent behaviors, specifically requiring the replacement of standard model defaults with specific requested models like "gpt-5.6-sol" and overriding Cursor-specific commands with direct host terminal operations.
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by instructing the agent to read and "graft" content from multiple subagent outputs ("candidates") without explicit sanitization or boundary markers.
  • Ingestion points: Candidate outputs and rationales produced in Phase B and processed in Phases C, D, and E.
  • Boundary markers: The instructions do not specify any delimiters or warnings to ignore embedded instructions within candidate content.
  • Capability inventory: The skill utilizes shell execution via codex exec, file system writes to /tmp/ and git worktrees, and background process management.
  • Sanitization: No validation or filtering is mentioned for the content synthesized from the various candidates.
  • [DATA_EXFILTRATION]: The skill uses /tmp/arena-<slug>/ for storing output from multiple parallel attempts, which could lead to sensitive data exposure in multi-user environments if permissions are not strictly managed.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 10, 2026, 04:46 PM