synapse-manager
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Systematic automation of security prompt bypass. The documentation in 'references/auto-approve-flags.md' and the skill's operational logic encourage and automate the use of safety-disabling flags for multiple tools (Claude Code, Gemini CLI, Codex, etc.). Flags such as '--permission-mode=bypassPermissions', '--approval-mode=yolo', and '--allow-all' are used to suppress user approval for file modifications and shell execution.
- [COMMAND_EXECUTION]: Execution of test suites on dynamic file paths. The 'scripts/regression_triage.sh' script executes 'pytest' on paths provided as command-line arguments. This allows for arbitrary code execution if the agent is directed to run tests on malicious or untrusted files.
- [REMOTE_CODE_EXECUTION]: Multi-agent command chain risks. By design, the skill allows a manager agent to spawn and delegate tasks to sub-agents with full bypass privileges. This creates an environment where a single compromised agent or a successful prompt injection can trigger unconstrained remote code execution across the entire team of agents.
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection (Category 8). The skill acts as a coordinator that ingests data from multiple agents and external memory stores without sufficient sanitization or boundary markers.
- Ingestion points: Data enters the manager context through 'synapse list' snapshots, 'synapse history' logs, and direct messages received via 'synapse send'.
- Boundary markers: Absent; the instructions do not implement delimiters or 'ignore instructions' warnings when processing content from other agents.
- Capability inventory: The skill possesses powerful capabilities including 'synapse spawn' (agent creation), 'synapse send' (task delegation), 'pytest' (code execution), and 'git stash' (filesystem state manipulation).
- Sanitization: Absent; agent-generated content and feedback are forwarded directly into new task instructions and shared memory.
Recommendations
- AI detected serious security threats
Audit Metadata