synapse-manager
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents and encourages the use of high-risk flags that bypass security permissions in sub-agents. Specifically, references/auto-approve-flags.md lists --dangerously-skip-permissions for Claude Code and --dangerously-bypass-approvals-and-sandbox for Codex. These flags remove critical human-in-the-loop safety gates.
- [REMOTE_CODE_EXECUTION]: The orchestration logic in SKILL.md and references/worker-guide.md describes spawning sub-agents with these unrestricted permissions. This allows the manager agent to execute arbitrary code on the host system via the sub-agents without any confirmation prompts or sandboxing restrictions.
- [COMMAND_EXECUTION]: The script scripts/regression_triage.sh performs dynamic command execution using pytest "$test_path" "$@". This pattern is vulnerable to command injection if the arguments passed to the script are derived from untrusted agent output or task descriptions without proper sanitization.
- [PROMPT_INJECTION]: The skill acts as a coordination hub, creating a significant surface for indirect prompt injection.
- Ingestion points: Data enters the context via synapse list, synapse tasks list, and sub-agent responses in synapse send.
- Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present when processing sub-agent output.
- Capability inventory: The manager agent has capabilities to spawn agents (synapse spawn), send commands (synapse send), and execute shell scripts.
- Sanitization: There is no evidence of sanitization or validation of data retrieved from sub-agents before it is used to drive subsequent orchestration steps.
Recommendations
- AI detected serious security threats
Audit Metadata