multi-agent-coordinator
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an orchestration layer that processes and stores data from multiple sub-agents, creating a surface for indirect prompt injection.\n
- Ingestion points: Untrusted data enters the orchestrator's context via
run.pythrough the--record-output,--handoff, and--registercommands, which process arbitrary strings for tasks, roles, and results.\n - Boundary markers: The state management logic lacks explicit delimiters or instructions that would prevent the agent from misinterpreting stored sub-agent data as system-level instructions.\n
- Capability inventory: The
run.pyscript is restricted to local file system operations (reading and writingstate.yaml) and does not directly execute subprocesses or perform network operations, which limits the immediate impact of an injection.\n - Sanitization: No input validation or sanitization is applied to the strings received from sub-agents before they are stored in the shared state file.
Audit Metadata