oracle
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The
scripts/oracle.shscript is vulnerable to indirect prompt injection. It accepts untrusted input from a user-provided file or stdin and interpolates it directly into a complex system prompt. - Ingestion points: User-provided plan content is read into the
PLAN_CONTENTvariable withinscripts/oracle.sh. - Boundary markers: The script uses basic markdown delimiters (e.g.,
---) to separate system instructions from user content. These are insufficient to prevent an attacker from escaping the context and injecting instructions that override the Oracle's behavior. - Capability inventory: The AI's output is written to a new file in the
/tmpdirectory. While the execution environment for the model is restricted via--sandbox read-only, an attacker could manipulate the generated critique or attempt to extract system instructions. - Sanitization: No escaping, filtering, or instruction-aware validation is applied to the user-provided plan content before it is processed.
Audit Metadata