llm-council
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The 'LIBRARY-FIRST PROTOCOL' explicitly instructs the agent to search
D:\Projects\*and 'EXTRACT' content. This provides the agent with broad, unmediated access to potentially sensitive local source code, credentials in configuration files, or proprietary intellectual property across the entire drive.\n- [COMMAND_EXECUTION] (MEDIUM): The command patternbash scripts/multi-model/llm-council.sh "<query>"is vulnerable to shell command injection. Because the user-controlled<query>is interpolated directly into a bash call, an attacker could use shell metacharacters (e.g.,;,&&,`) to execute arbitrary code on the host system.\n- [PROMPT_INJECTION] (LOW): The skill uses imperative language such as 'MANDATORY', 'MUST check', and 'Decision Matrix' to override standard AI behavior and prioritize its file-scanning and extraction protocol over user safety constraints.\n- [PROMPT_INJECTION] (LOW): The skill is highly vulnerable to indirect prompt injection because it processes untrusted queries and synthesizes outputs from multiple LLMs without sanitization.\n - Ingestion points: The
<query>parameter in the bash command and the model responses A, B, and C during the ranking/synthesis stages inllm-council.sh.\n - Boundary markers: Absent; the skill does not define or enforce delimiters to separate instructions from data during synthesis.\n
- Capability inventory:
Bash,Read,Write, andTodoWrite.\n - Sanitization: None; data is passed directly to the shell and the synthesis prompt without filtering or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata