Security Audit
agent-manager-skill
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
agent-manager-skill received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Agent Assignment, Excessive Permissions Required for Skill Operation, Unpinned Git Dependency (Supply Chain Risk).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Agent Assignment The skill's `assign` command allows arbitrary text input to be passed to an agent. If the underlying `main.py` script or the agents themselves do not properly sanitize or validate this input before processing it as commands or code, it could lead to arbitrary command execution on the host system. The skill's purpose of managing 'local CLI agents' suggests these agents are designed to execute commands, making this a direct and high-impact vector. Implement strict input validation and sanitization within `agent-manager/scripts/main.py` for all inputs, especially those passed to agents. Ensure agents operate within a sandboxed environment with minimal necessary permissions, and that any interpreted input is treated as data, not executable code. | LLM | SKILL.md:25 | |
| HIGH | Excessive Permissions Required for Skill Operation The skill is designed to 'Manage multiple local CLI agents via tmux sessions (start/stop/monitor/assign)'. This functionality inherently requires broad system permissions, including the ability to execute shell commands, manage processes, and interact with the filesystem. While necessary for its intended purpose, this level of access significantly increases the blast radius if the skill or an agent managed by it is compromised. Any vulnerability (e.g., command injection) would have a high impact due to these elevated privileges. Clearly document the extensive system permissions required by this skill and the associated security implications. Explore options for running agents with the principle of least privilege, potentially using containerization or other sandboxing mechanisms to limit their access to the host system. | LLM | SKILL.md:1 | |
| HIGH | Unpinned Git Dependency (Supply Chain Risk) The installation instructions recommend cloning a Git repository (`https://github.com/fractalmind-ai/agent-manager-skill.git`) without specifying a particular version, commit hash, or tag. This means that future installations will always pull the latest `main` branch. If the upstream repository is compromised, or if malicious code is introduced into its `main` branch, users installing this skill would unknowingly download and execute potentially malicious code, leading to a supply chain attack. Pin the dependency to a specific, immutable version (e.g., a commit hash or a signed release tag). This ensures that users always install a known, verified version of the skill and are not susceptible to changes in the upstream repository's `main` branch. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/0bdee195c8888738)
Powered by SkillShield