orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection. The skill is designed to handle untrusted data from external sources and pass it to high-privilege sub-agents.\n
- Ingestion points: The skill processes codebases, pull requests, and research topics (documented in SKILL.md and references/examples.md).\n
- Boundary markers: It utilizes a 'WORKER AGENT' preamble to define agent roles, but lacks proper escaping or delimiters to prevent embedded instructions in user data from hijacking worker behavior.\n
- Capability inventory: Spawned worker agents have direct access to 'Bash', 'Write', 'Edit', and 'Read' tools, enabling high-impact side effects (tools.md).\n
- Sanitization: There is no evidence of sanitization or validation of untrusted content before interpolation into task prompts.\n- COMMAND_EXECUTION (HIGH): The architecture enables arbitrary command execution by proxy. While the orchestrator follows an 'Iron Law' against direct tool use, its primary function is to delegate high-privilege operations to workers. Malicious input processed by the orchestrator can lead to the execution of unauthorized shell commands via these workers.
Recommendations
- AI detected serious security threats
Audit Metadata