doing-a-simple-two-stage-fanout
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted corpus data through subagents without sufficient sanitization or instruction isolation.
- Ingestion points: The skill reads raw text or code from a user-provided corpus (referenced in SKILL.md Step 1 and 5).
- Boundary markers: The subagent prompt templates use structural headers like '## Input', but do not include explicit instructions for the agents to ignore instructions embedded within the corpus.
- Capability inventory: The orchestrator can execute arbitrary shell commands via the Bash tool and create new agent tasks.
- Sanitization: No evidence of input filtering or escaping is present for the data passed to subagents.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform file system operations and execute logic. It runs 'wc -c' for token estimation and executes a bundled script 'compute_layout.py' for pipeline configuration. It also generates and executes Python one-liners for arithmetic calculations to ensure precision, which is a standard procedure for complex orchestration.
Audit Metadata