parallel-task
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The orchestrator is vulnerable to Indirect Prompt Injection (Category 8) due to its handling of external plan files.
- Ingestion points: The orchestrator reads markdown plan files (e.g.,
plan.md) in Step 2 to extract task descriptions and acceptance criteria. - Boundary markers: Absent. The skill interpolates extracted content directly into the 'Task Prompt Template' without delimiters or 'ignore embedded instructions' warnings.
- Capability inventory: Subagents launched by the orchestrator have the ability to read files, modify source code, execute validation tests, and commit changes to the repository (Step 3 and Task Prompt Template).
- Sanitization: Absent. There is no evidence of validation or filtering for the content extracted from the plan files before it is passed to subagents.
- Risk: An attacker-controlled plan file could contain instructions within a 'Task Description' that override the subagent's goals, potentially leading to unauthorized code modification or data exposure during the execution/validation phase.
Audit Metadata