step-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly allows for the execution of arbitrary test commands provided in the user prompt as part of the implementation loop.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon data from external step tables.
- Ingestion points: Task data and metadata are read from external 'step-table' sources identified by the user (SKILL.md, references/adapter-contract.md).
- Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore potentially malicious instructions embedded within the table rows.
- Capability inventory: The skill can spawn sub-agents (implementers and reviewers), execute shell commands for testing, and perform git commits (SKILL.md).
- Sanitization: No validation or sanitization mechanisms are described for the content retrieved from external sources before it is passed to sub-agents or used to drive the workflow loop.
Audit Metadata