Skills
skills/miles990/multi-agent-workflow/audit/Gen Agent Trust Hub

audit

Fail

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Multiple scripts and components execute system-level commands through subprocesses and shell scripts.
  • _cli/cli/dependencies.py and _shared/tools/yaml_compat.py use subprocess.run to execute pip install commands.
  • _cli/cli/orchestrator/agent_caller.py executes the claude CLI as a sub-process to perform analysis tasks.
  • _shared/tools/workflow-init.sh and other shell utilities perform intensive file system and process operations.
  • The sub-agents (perspectives) are explicitly granted the Bash tool, allowing them to execute arbitrary commands on the host system during the audit process.
  • [EXTERNAL_DOWNLOADS]: The skill automatically fetches and installs dependencies from external registries without user confirmation.
  • _cli/cli/dependencies.py attempts to install typer, rich, pydantic, and PyYAML from PyPI if they are missing.
  • _shared/tools/dependency-utils.sh contains logic to install system-level packages using package managers like brew, apt-get, apk, dnf, and yum.
  • [REMOTE_CODE_EXECUTION]: The combination of automated dependency installation and the ability for agents to execute shell commands creates a significant risk of remote code execution if the sub-agents are influenced by malicious codebase content.
  • [PRIVILEGE_ESCALATION]: The script _shared/tools/dependency-utils.sh contains commands that attempt to use sudo to install system packages.
  • Evidence: sudo apt-get install -y "$package" and sudo yum install -y "$package" are called in the maw_install_system_package function, which can be triggered automatically during the setup or execution of various tools.
  • [INDIRECT_PROMPT_INJECTION]: The skill's primary function is to read and analyze codebase files. This provides a large attack surface for indirect prompt injection.
  • Ingestion points: Codebase files are read via Read, Glob, and Grep in _cli/cli/orchestrator/agent_caller.py.
  • Boundary markers: Absent. The sub-agents are not explicitly instructed to treat file contents as untrusted data.
  • Capability inventory: Sub-agents have access to Bash, WebFetch, and Read tools.
  • Sanitization: Absent. Content from the codebase is directly processed by the LLM sub-agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 12, 2026, 04:06 AM