debate
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides templates for invoking various CLI tools such as Claude, Gemini, and Codex. Specifically, the Codex CLI pattern uses shell command substitution (
$(cat ...)) to pass prompt content as a command-line argument, which could be exploited for command injection if the input content contains shell metacharacters. - [PROMPT_INJECTION]: The debate workflow ingests untrusted data from the user and from other AI models, interpolating it into prompts for subsequent debate rounds. Ingestion points: Untrusted content is processed via the
{topic},{proposer_round1_response}, and{challenger_previous_response}variables inSKILL.md. Boundary markers: Horizontal rules (---) and labeled headers are used to separate external responses from instructions, though these can be bypassed by sophisticated inputs. Capability inventory: The agent executing the skill has capabilities to write to state directories and execute arbitrary shell commands to run other models. Sanitization: The skill does not define any sanitization or escaping logic for the data before interpolation. - [EXTERNAL_DOWNLOADS]: The skill references an external script
acp/run.jsfor ACP transport functionality. This script is not included in the skill definition, making its security and integrity unverifiable.
Audit Metadata