council
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill operates as a code and document reviewer, ingesting untrusted data (files, diffs, specs) into the prompts of sub-agents (judges). This creates a surface for indirect prompt injection where malicious instructions embedded in the reviewed files could attempt to influence the agent's verdict or behavior. The skill mitigates this by defining strict system prompts for judges and requiring them to return only minimal, structured JSON signals to the lead agent, preventing the injection from leaking into the broader orchestration context.
- [COMMAND_EXECUTION]: For its '--mixed' execution mode, the skill dynamically constructs and executes bash commands via the
codex execCLI. It assembles shell strings containing model parameters and judge prompts. While this is an intended feature for cross-vendor consensus, the use of background bash processes to execute these commands represents a significant capability that requires careful handling of the prompt content. - [DATA_EXFILTRATION]: The skill reads project files and environment configurations (
.agents/ao/environment.json) to provide context for the review judges. While the analysis is written to local files in.agents/council/, the skill's ability to aggregate and process sensitive project data across parallel agents constitutes a data exposure surface, though no unauthorized network exfiltration was detected.
Audit Metadata